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Abstract. Refinement types sharpen systems of simple and dependent types by offering 
expressive means to more precisely classify well-typed terms. We present a system of 
refinement types for LF in the style of recent formulations where only canonical forms are 
well-typed. Both the usual LF rules and the rules for type refinements are bidirectional, 
leading to a straightforward proof of decidability of typechecking even in the presence of 
intersection types. Because we insist on canonical forms, structural rules for subtyping 
can now be derived rather than being assumed as primitive. We illustrate the expressive 
power of our system with examples and validate its design by demonstrating a precise 
correspondence with traditional presentations of subtyping. 

Proof irrelevance provides a mechanism for selectively hiding the identities of terms 
in type theories. We show that LF refinement types can be interpreted as predicates 
using proof irrelevance, establishing a uniform relationship between two previously studied 
concepts in type theory. The interpretation and its correctness proof are surprisingly 
complex, lending support to the claim that refinement types are a fundamental construct 
rather than just a convenient surface syntax for certain uses of proof irrelevance. 



LF was created as a framework for defining logics and programming languages [HHP 93] . 
Since its inception, it has been used to represent and formalize reasoning about a number of 
deductive systems, which are prevalent in the study of logics and programming languages Q 
In its most recent incarnation as the Twelf metalogic |PS99j . it has been used to encode 
and mechanize the metatheory of programming languages that are prohibitively complex 
to reason about on paper |Cra03l ILCH07] . 

It has long been recognized that some LF encodings would benefit from the addition of 
a subtyping mechanism to LF |Pfe93l lACOlj . In LF encodings, judgments are represented 
by type families, and many subsets of data types and judgmental inclusions can be elegantly 
represented via subtyping. 
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Prior work has explored adding subtyping and intersection types to LF via refinement 
types }Pfe93j . Many of that system's metatheoretic properties were proven indirectly by 
translation into other systems, though, giving little insight into notions of adequacy or 
implementation strategies. We begin this paper by presenting a refinement type system 
for LF based on the modern canonical forms approach [WCPW02| IHL07| , and by doing so 
we obtain direct proofs of important properties like decidability. Moreover, the theory of 
canonical forms provides the basis for a study of adequacy theorems exploiting refinement 
types. 

In canonical forms-based LF, only /3-normal ?7-long terms are well-typed — the syntax 
restricts terms to being /3-normal, while the typing relation forces them to be 77-long. Since 
standard substitution might introduce redexes even when substituting a normal term into 
a normal term, it is replaced with a notion of hereditary substitution that contracts redexes 
along the way, yielding another normal term. Since only canonical forms are admitted, type 
equality is just a-equi valence, and typechecking is manifestly decidable. 

Canonical forms are exactly the terms one cares about when adequately encoding a 
language in LF, so this approach loses no expressivity. Since all terms are normal, there is 
no notion of reduction, and thus the metatheory need not directly treat properties related 
to reduction, such as subject reduction, Church-Rosser, or strong normalization. All of the 
metatheoretic arguments become straightforward structural inductions, once the theorems 
are stated properly. 

By introducing a layer of refinements distinct from the usual layer of types, we prevent 
subtyping from interfering with our extension's metatheory. We also follow the general 
philosophy of prior work on refinement types [FP91 j. IFre94t lDav05] in only assigning refined 
types to terms already well-typed in pure LF, ensuring that our extension is conservative. 

As a simple example, we study the representation of natural numbers as well as even 
and odd numbers. In normal logical discourse, we might define these with the following 
grammar: 

Natural numbers n ::= z \ s(n) 

Even numbers e ::= z | s(o) 
Odd numbers o ::= s(e) 
The first line can be seen as defining the abstract syntax of natural numbers in unary form, 
the second and third lines as defining two subsets of the natural numbers defined in the 
first line. We will follow this informal convention, and represent the first as a type with two 
constructors. 

not : type. 
z : not. 

s : not — >■ not. 

The second and third line define even and odd numbers as a subset of the natural numbers, 
which we represent as refinements of the type not. 

even IZ not. odd C not. 

z :: even. 

s :: even — > odd A odd — > even. 

In the above, even C not declares even as a refinement of the type nat, and the declarations 
using give more precise sorts for the constructors z and s. Note that since the successor 
function satisfies two unrelated properties, we give two refinements for it using an intersec- 
tion sort. We can give similar representations of all regular tree grammars as refinements, 
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which then represent regular tree types [DZ92] . Our language generalizes this further to 
allow binding operators and dependent types, both of which it inherits from LF, thereby 
going far beyond what can be recognized with tree automata [CDG + 07] , 

Already in this example we can see that it is natural to use refinements to represent 
certain subsets of data types. Conversely, refinements can be interpreted as defining subsets. 
In the second part of this paper, we exhibit an interpretation of LF refinement types which 
we refer to as the "subset interpretation", since a sort refining a type is interpreted as a 
predicate embodying the refinement, and the set of terms having that sort is simply the 
subset of terms of the refined type that also satisfy the predicate. For example, under the 
subset interpretation, we translate the refinements even and odd to predicates on natural 
numbers. The refinement declarations for z and s turn into constructors for proofs of these 
predicates. 

even : nat — » type, odd : nat — > type. 

2 : even z. 

~si : Ylx:nat. even x — > odd(sx). 
^2 '■ Hx:nat. odd x — >• even (sx). 

The successor function's two unrelated sorts translate to proof constructors for two different 
predicates. 

We show that our interpretation is correct by proving, for instance, that a term iV has 
sort S if and only if its translation N has type S(N), where S( — ) is the translation of 
the sort S into a type family representing a predicate; thus, an adequate encoding using 
refinement types remains adequate after translation. The chief complication in proving 
correctness is the dependency of types on terms, which forces us to deal with a coherence 
problem [BTCGS911 |Rey91| . 

Normally, subset interpretations are not subject to the issue of coherence — that is, 
of ensuring that the interpretation of a judgment is independent of its derivation — since 
the terms in the target of the translation are the same as the terms in the source, just 
with the stipulation that a certain property hold of them. The proofs of these properties 
are computationally immaterial, so they may simply be ignored. But the presence of full 
dependent types in LF means that the interpretation of a sort might depend on these proofs, 
potentially violating the adequacy of representations. 

In order to solve the coherence problem we employ proof irrelevance, a technique used in 
type theories to selectively hide the identities of terms representing proofs [PfeOlal IAB04] . 
In the example, the terms whose identity should be irrelevant are those constructing proofs 
of odd(n) and even(n), that is, those composed from % si, and S2- 

The subset interpretation completes our intuitive understanding of refinement types as 
representing subsets of types. It turns out that in the presence of variable binding and 
dependent types, this understanding is considerably more difficult to attain than it might 
seem from the small example above. 

In the remainder of the paper, we describe our refinement type system alongside a few 
illustrative examples (Section [2|). Then we explore its metatheory and sketch proofs of key 
results, including decidability (Section [3|). We note that our approach leads to subtyping 
only being defined at base types, but we show that this is no restriction at all: subtyping at 
higher types is intrinsically present due to the use of canonical forms (Section Next, we 
take a brief detour to review prior work on proof irrelevance (Section [5]), setting the stage 
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for our subset interpretation and proofs of its correctness (Section [6]). Finally, we offer some 
concluding remarks on the broader implications of our work (Section [7J) . 

This paper represents a combination of the developments in a technical report on the 
basic design of LF with refinement types jLP08al ILP08b] and a conference paper sketching 
the subset interpretation [LP09] . 

2. System and Examples 

We present our system of LF with Refinements, LFR, through several examples. In what 
follows, R refers to atomic terms and N to normal terms. Our atomic and normal terms 
are exactly the terms from canonical presentations of LF. 

R :.= c | x \ R N atomic terms 

N,M ::= R \ Xx. N normal terms 

In this style of presentation, typing is defined bidirectionally by two judgments: R =^ A, 
which says atomic term R synthesizes type A, and N ^= A, which says normal term N 
checks against type A. Since A-abstractions are always checked against a given type, they 
need not be decorated with their domain types. 

Types are similarly stratified into atomic and normal types. 

P ::= a \ P N atomic type families 

A, B ::= P | Tlx: A. B normal type families 

The operation of hereditary substitution, written [-/V/x]^ , is a partial function which 
computes the normal form of the standard capture-avoiding substitution of N for x. It 
is indexed by the putative type of x, A, to ensure termination, but neither the variable 
x nor the substituted term N are required to bear any relation to this type index for the 
operation to be defined. We show in Section [3] that when N and x do have type A, hereditary 
substitution is a total function on well-formed terms. 

As a philosophical aside, we note that restricting our attention to normal terms in 
this way is similar to the idea of restricting one's attention to cut-free proofs in a sequent 
calculus [PfeOOj . Showing that hereditary substitution can always compute a canonical 
form is analogous to showing the cut rule admissible. And just as cut admissibility may 
be used to prove a cut elimination theorem, hereditary substitution may be used to prove 
a normalization theorem relating the canonical approach to traditional formulations. We 
will not explore the relationship any further in the present work: the canonical terms are 
the only ones we care about when formalizing deductive systems in a logical framework, so 
we simply take the canonical presentation as primary. 

Our layer of refinements uses metavariables Q for atomic sorts and S for normal sorts. 
These mirror the definition of types above, except for the addition of intersection and "top" 
sorts. 

Q ::= s | Q N atomic sort families 

S, T ::= Q \ Tix::S\zA.T T | S\ A S2 normal sort families 

Sorts are related to types by a refinement relation, S C A ("S refines A"), discussed below. 
We only sort-check well-typed terms, and a term of type A can be assigned a sort S only 
when S C A. These constraints are collectively referred to as the "refinement restriction". 
We occasionally omit the "C A v from function sorts when it is clear from context. 
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Deductive systems are encoded in LF using the judgments- as-types principle |HHP93[ 
IHL07| : syntactic categories are represented by simple types, and judgments over syntax 
are represented by dependent type families. Derivations of judgments are inhabitants of 
those type families, and well-formed derivations correspond to well-typed LF terms. An LF 
signature is a collection of kinding declarations a : K and typing declarations c : A that 
establishes a set of syntactic categories, a set of judgments, and inhabitants of both. In 
LFR, we can represent syntactic subsets or sets of derivations that have certain properties 
using sorts. Thus one might say that the methodology of LFR is properties- as- sorts. 

2.1. Example: Natural Numbers. For the first running example we will use the natural 
numbers in unary notation. In LF, they would be specified as follows 

nat : type. 

z : nat. 

s : nat — > nat. 

These declarations establish a syntactic category of natural numbers populated by two 
constructors, a constant constructor representing zero and a unary constructor representing 
the successor function. 

Suppose we would like to distinguish the odd and the even numbers as refinements of 
the type of all numbers. 

even Z nat. 

odd Z nat. 

The form of the declaration is s Z a where a is a type family already declared and s is a 
new sort family. Sorts headed by s are declared in this way to refine types headed by a. 
The relation S Z A is extended through the whole sort hierarchy in a compositional way. 
Next we declare the sorts of the constructors. For zero, this is easy: 
z :: even. 

The general form of this declaration is c :: S, where c is a constant already declared in the 
form c : A, and where S Z A. The declaration for the successor is slightly more difficult, 
because it maps even numbers to odd numbers and vice versa. In order to capture both 
properties simultaneously we need to use an intersection sort, written as S\ A S2U 

s :: even — > odd A odd — > even. 
In order for an intersection to be well-formed, both components must refine the same type. 
The miliary intersection T can refine any type, and represents the maximal refinement of 
that typed 

szaeS S nA TnB SizA S 2 nA 

s N~x . . . N k Z a N 1 . . . N k Uxr.S.T Z Ux:A. B Si A S 2 Z A T nA 

To show that the declaration for s is well- formed, we establish that even — > odd A odd — > 
even Z nat — > nat. 

intersection has lower precedence than arrow. 

^As usual in LF, we use A^Bas shorthand for the dependent type Hx.A. B when x does not occur in 

B. 
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Canonical LF 



LF with Refinements 



T,x:A h N <= B 
r h Xx.N <= Ux-.A.B 

r h r => p' p' = p 
r h i? <= p 



x-.A g r 
r\- x ^ a 



c:A € S 



T,x::SnAh N 
r h Ax.iV <*= ni::5cAT 

r h i? Q' Q' < Q 



(n-i) 



rh r^q 



(switch) 



x-.-.SnA e r 



(var) 



c :: S G S 



F\- RN=> [N/x] A B 



Th x^ S " ' rhc^S 
T h R^Ux::SnA.T T \- N <= S 



RN ^ [N/x] A T 



(const) 

(n-E) 



The refinement relation S \Z A should not be confused with the usual subtyping relation. 
Although each is a kind of subset relation^, they are quite different: Subtyping relates two 
types, is contravariant in the domains of function types, and is transitive, while refinement 
relates a sort to a type, so it does not make sense to consider its variance or whether it is 
transitive. We will discuss subtyping below and in Section [H 

Now suppose that we also wish to distinguish the strictly positive natural numbers. We 
can do this by introducing a sort pos refining not and declaring that the successor function 
yields a pos when applied to anything, using the maximal sort. 

pos Z not. 

s :: ■ ■ ■ A T — > pos. 

Since we only sort-check well-typed programs and s is declared to have type not — > nat, the 
sort T here acts as a sort-level reflection of the entire nat type. 

We can specify that all odds are positive by declaring odd to be a subsort of pos. 
odd < pos. 

Although any ground instance of odd is evidently pos, we need the subsorting declaration 
to establish that variables of sort odd are also pos. 
Putting it all together, we have the following: 

even IZ nat. odd IZ nat. pos Z nat. 
odd < pos. 
z :: even. 

s :: even — > odd A odd — > even A T — > pos. 

Now we should be able to verify that, for example, s (s z) even. To explain how, 
we analogize with pure canonical LF. Recall that atomic types have the form a N\ . . . Nf~ 
for a type family a and are denoted by P. Arbitrary types A are either atomic (P) or 
(dependent) function types (Tlx: A. B). Canonical terms are then characterized by the rules 
shown in the left column above. 



It may help to recall the interpretation of S IZ A: for a term to be judged to have sort S, it must 
already have been judged to have type A for some A such that S IZ A. Thus, the refinement relation 
represents an inclusion "by fiat": every term with sort S is also a term of type A, by invariant. By contrast, 
subsorting Si < £2 is a more standard sort of inclusion: every term with sort Si is also a term of sort S2, 
by subsumption (see Section [3J. 
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There are two typing judgments, N A which means that N checks against A (both 
given) and R => A which means that R synthesizes type A (R given as input, A produced 
as output). Both take place in a context T assigning types to variables. To force terms to 
be 77- long, the rule for checking an atomic term R only checks it at an atomic type P. It 
does so by synthesizing a type P' and comparing it to the given type P. In canonical LF, 
all types are already canonical, so this comparison is just a-equality. 

On the right-hand side we have shown the corresponding rules for sorts. First, note 
that the format of the context V is slightly different, because it declares sorts for variables, 
not just types. The rules for functions and applications are straightforward analogues to 
the rules in ordinary LF. The rule switch for checking atomic terms R at atomic sorts Q 
replaces the equality check with a subsorting check and is the only place where we appeal 
to subsorting (defined below). For applications, we use the type A that refines the type S 
as the index parameter of the hereditary substitution. 

Subsorting is exceedingly simple: it only needs to be defined on atomic sorts, and is 
just the reflexive and transitive closure of the declared subsorting relationship. 

si<s 2 € S Qi <Q' Q' < Q 2 

s 1 N 1 ...N k <s 2 N 1 ... N k Q <Q Qi < Q 2 

The sorting rules do not yet treat intersections. In line with the general bidirectional nature 
of the system, the introduction rules are part of the checking judgment, and the elimination 
rules are part of the synthesis judgment. Binary intersection Si A S 2 has one introduction 
and two eliminations, while miliary intersection T has just one introduction. 

r h n 4= Si a s 2 ^ A "^ r P n <= t ^ T_I ^ 

r h R Si A S 2 ThR^S 1 AS 2 
A-Ei A-E 2 

r h r => Si K ' r h r => s 2 v ' 

Note that although (canonical forms-style) LF type synthesis is unique, LFR sort synthesis 
is not, due to the intersection elimination rules. 

Now we can see how these rules generate a deduction of s (s z) <t= even. The context is 
always empty and therefore omitted. To save space, we abbreviate even as e, odd as o, and 
pos as p, and we omit reflexive uses of subsorting. 



hs^e4oA(...J \- z 

hs^e4oA(t>-)eAT->|)) hs=>e->o FT 



hs=^o->eAT->B \- s z 



hs=>o->e hsz 
h s (s z) e 



h s (s z) <= e 

Using the A-I rule, we can check that s z is both odd and positive: 



\- s z ^ o A p 

Each remaining subgoal now proceeds similarly to the above example. 
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To illustrate the use of sorts with non-trivial type families, consider the definition of 
the double relation in LF. We declare a type family representing the doubling judgment 
and populate it with two proof rules. 

double : not — > not — > type. 

dbl/z : double z z. 

dbl/s : UX:nat. UY:nat. double double (s X) (s (s Y)). 

With sorts, we can now directly express the property that the second argument to double 
must be even. But to do so, we require a notion analogous to kinds that may contain sort 
information. We call these classes and denote them by L. 



Classes L mirror kinds K, and they have a refinement relation L E K similar to S IZ A. 
(We elide the rules here, but they are included in Appendix [Aj) Now, the general form of 
the s Z a declaration is s IZ a :: L, where a : K and L \Z K; this declares sort constant s to 
refine type constant a and to have class L. 

For now, we reuse the type name double as a sort, as no ambiguity can result. As 
before, we use T to represent a not with no additional restrictions. 

double Z double :: T — > even — > sort. 

dbl/z :: double z z. 

dbl/s :: UX::T .UY::even. double X Y -> double (s X) (s (s Y)). 
After these declarations, it would be a static sort error to pose a query such as 



before any search is ever attempted. In LF, queries like this could fail after a long search or 
even not terminate, depending on the search strategy. One of the important motivations for 
considering sorts for LF is to avoid uncontrolled search in favor of decidable static properties 
whenever possible. 

The tradeoff for such precision is that now sort checking itself is non-deterministic 
and has to perform search because of the choice between the two intersection elimination 
rules. As Reynolds has shown, this non-determinism causes intersection type checking to be 
PSPACE-hard |Rey96| , even for normal terms as we have here |Rey89| . Using techniques 
such as focusing, we believe that for practical cases they can be analyzed efficiently for the 
purpose of sort checking!! 

2.2. A Second Example: The A-Calculus. As a second example, we use an intrinsi- 
cally typed version of the call-by-value simply-typed A-calculus. This means every object 
language expression is indexed by its object language type. We use sorts to distinguish the 
set of values from the set of arbitrary computations. While this can be encoded in LF in a 
variety of ways, it is significantly more cumbersome. 

tp : type. % the type of object language types 

l=> : tp — > tp — > tp. % object language function space 
%infix right 10 h> . 

exp : tp — > type. % the type of expressions 

^The present paper concentrates primarily on decidability, though, not efficiency. 



K ::= type | Tlx: A. K 
L ::= sort | Uxr.SnA. L \ T | L\ A L 2 



classes 



kinds 



?- double X (s (s (s z))). 
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cmp C exp. % the sort of computations 

val c exp. % the sort of values 

val < cmp. % every value is a (trivial) computation 

lam :: (val A — V cmp B) — > val (A l=> B). 
app :: cmp (A l=> B) — > cmp A — > cmp B. 
In the last two declarations, we follow Twelf convention and leave the quantification over 
A and B implicit, to be inferred by type reconstruction. Also, we did not explicitly declare 
a type for lam and app. We posit a front end that can recover this information from the 
refinement declarations for val and cmp, avoiding redundancy. 

The most interesting declaration is the one for the constant lam. The argument type 
(val A — > cmp B) indicates that lam binds a variable which stands for a value of type A 
and the body is an arbitrary computation of type B. The result type val (A l=> B) indicates 
that any A-abstraction is a value. Now we have, for example (parametrically in A and B): 
A::T\Ztp, B::T\Ztp h lam Ax. lam Xy. x <= val (A (B A)). 

Now we can express that evaluation must always returns a value. Since the declarations 
below are intended to represent a logic program, we follow the logic programming convention 
of reversing the arrows in the declaration of ev-app. 
eval :: cmp A — > val A — > sort. 
ev-lam :: eval (lam Ax. E x) (lam Ax. E x). 
ev-app :: eval (app E\ E2) V 

<— eval Ei (lam Ax. E[ x) 

<— eval E2 V2 

<r- eval (E[ V 2 ) V. 

Sort checking the above declarations demonstrates that when evaluation returns at all, it 
returns a syntactic value. Moreover, if sort reconstruction gives E[ the "most general" sort 
val A — > cmp B, the declarations also ensure that the language is indeed call-by-value: it 
would be a sort error to ever substitute a computation for a lam-bound variable, for example, 
by evaluating (E[ E2) instead of (E[ V2) in the ev-app rule. An interesting question for 
future work is whether type reconstruction can always find such a "most general" sort for 
implicitly quantified metavariables. 

A side note: through the use of sort families indexed by object language types, the sort 
checking not only guarantees that the language is call-by-value and that evaluation, if it 
succeeds, will always return a value, but also that the object language type of the result 
remains the same (type preservation). 

3. Metatheory 

In this section, we present some metatheoretic results about our framework. These follow a 
similar pattern as previous work using hereditary substitutions |WCPW02| INPP071 IHL07] . 
We give sketches of all proofs. Technically tricky proofs are available from a companion 
technical report |LP08b] . 
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Judgment: 




Substitution into: 




[No/x ]^R = 
Wo/x ]™ R = 
\Nn/x n ] n N = 


Bf 

(N',a') 
■ N' 


Atomic terms (yielding 
Atomic terms (yielding 
Normal terms 


; atomic) 
; normal) 


[N /x ] p aa P = 
[N /x ]% A = 


P> 
A' 


Atomic types 
Normal types 




[N /x ]l Q = 
[No/xo] s ao S = 


Q' 
S' 


Atomic sorts 
Normal sorts 




[No/x ] k aa K = 
[No/x ] l ao L = 


K' 
V 


Kinds 
Classes 




[N /x }l Q r = 


r' 


Contexts 





Table 1: Judgments denning hereditary substitution. 



3.1. Hereditary Substitution. Recall that we replace ordinary capture-avoiding substi- 
tution with hereditary substitution, [N/x] A , an operation which substitutes a normal term 
into a canonical form yielding another canonical form, contracting redexes "in-line". The 
operation is indexed by the putative type of N and x to facilitate a proof of termination. 
In fact, the type index on hereditary substitution need only be a simple type to ensure 
termination. To that end, we denote simple types by a and define an erasure to simple 
types (A)~. 

a ::= a | ati -> a 2 (a N x . . . N k )~ = a (Ux:A. B)~ = (A)~ ->• (B)~ 

For clarity, we also index hereditary substitutions by the syntactic category on which 
they operate, so for example we have [N/x\\M = M' and [N/x] s A S = S'; Table [TJ lists 
all of the judgments defining substitution. We write [N/x] A M = M' as short-hand for 
[N/x]f A) _ M = M'. 

Our formulation of hereditary substitution is defined judgmentally by inference rules. 
The only place /3-redexes might be introduced is when substituting a normal term N into 
an atomic term R: N might be a A-abstraction, and the variable being substituted for may 
occur at the head of R. Therefore, the judgments defining substitution into atomic terms 
are the most interesting ones. 

We denote substitution into atomic terms by two judgments: [Nq/xo]" R = R', for 
when the head of R is not xq, and [Nq/xq\™ R = (N',a'), for when the head of R is xq, 
where a' is the simple type of the output N' . The former is just defined compositionally; 
the latter is defined by two rules: 

(subst-rn-var) 



[A r o/^o] r Q >o = (A r o,ao) 

= /V' \NL /x] n ATi = / 

(subst-rn-/?) 



[No/xoF ao N 2 = N' 2 [j^/s]° 2 Ax = N[ 



[N /x ]^ Ri N 2 = (N[, ai ) 

The rule subst-rn-var just returns the substitutend Nq and its putative type index «o- 
The rule subst-rn-/3 applies when the result of substituting into the head of an application 
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is a A-abstraction; it avoids creating a redex by hereditarily substituting into the body of 
the abstraction. 

A simple lemma establishes that these two judgments are mutually exclusive by exam- 
ining the head of the input atomic term. 

head(x) = x head(c) = c head(i? N) = head(-R) 

Lemma 3.1. 

(1) // [N /xoY* R = R', then head(i?) + x . 

(2) If [N /xo\™ R = (N', a'), then head(E) = x . 

Proof. By induction on the given derivation. □ 

Substitution into normal terms has two rules for atomic terms R, one which calls the "rr" 
judgment and one which calls the "rn" judgment. 

Wo/xq}^ R = R' [N /xo]™R=(R>,a') 

; — -r 7 subst-n-atom — ; ; — ^— ; — subst-n-atom-norm 

Note that the latter rule requires both the term and the type returned by the "rn" judgment 
to be atomic. 

Every other syntactic category's substitution judgment is defined compositionally, tac- 
itly renaming bound variables to avoid capture. For example, the remaining rule defining 
substitution into normal terms, the rule for substituting into a A-abstraction, just recurses 
on the body of the abstraction. 

[N /x ]l Q N = N' 

[N /x ] n ao Xx. N = Xx. N' 

Although we have only defined hereditary substitution relationally, it is easy to show that it 
is in fact a partial function by proving that there only ever exists one "output" for a given 
set of "inputs". 

Theorem 3.2 (Functionality of Substitution). Hereditary substitution is a functional rela- 
tion. In particular: 

(1) // [N /x ]% R = R 1 and [N /x }^ R = R 2 , then R x = R 2 , 

(2) // [N /x ]™ R = (Ni, ai) and [N /x ]™ R = (N 2 , a 2 ), then N± = N 2 and a x = a 2 , 

(3) // [N /x }» N = Ni and [N /x }» N = N 2 , then N x = N 2 , 
and similarly for other syntactic categories. 

Proof. Straightforward induction on the first derivation, applying inversion to the second 
derivation. The cases for rules subst-n-atom and subst-n-atom-norm require Lemma [3.1l 
to show that the second derivation ends with the same rule as the first one. 

Additionally, it is worth noting that hereditary substitution behaves just like "ordinary" 
substitution on terms that do not contain the distinguished free variable. 

Theorem 3.3 (Trivial Substitution). Hereditary substitution for a non-occurring variable 
has no effect. 

(1) // x FV(R), then [N /x }^ R = R, 

(2) // x t FV(JV), then [N /x ]» N = N, 
and similarly for other syntactic categories. 

Proof. Straightforward induction on term structure. □ 
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3.2. Decidability. A hallmark of the canonical forms/hereditary substitution approach is 
that it allows a decidability proof to be carried out comparatively early, before proving 
anything about the behavior of substitution, and without dealing with any complications 
introduced by /3/r/-conversions inside types. Ordinarily in a dependently typed calculus, one 
must first prove a substitution theorem before proving typechecking decidable, since type- 
checking relies on type equality, type equality relies on /3/?7-conversion, and /3/77-conversions 
rely on substitution preserving well-formedness. (See for example |HP05| for a typical non- 
canonical forms-style account of LF definitional equality.) 

In contrast, if only canonical forms are permitted, then type equality is just a-converti- 
bility, so one only needs to show decidability of substitution in order to show decidability of 
typechecking. Since LF encodings represent judgments as type families and proof-checking 
as typechecking, it is comforting to have a decidability proof that relies on so few assump- 
tions. 

Lemma 3.4. // [No/xo]™ R = (N',a ! ), then a' is a subterm of ao. 

Proof. By induction on the derivation of [Nq/xo]™ R = (N',a'). In rule subst-rn-var, a' 
is the same as ao- L~i rule subst-rn-/3, our inductive hypothesis tells us that 02 — > ct\ is a 
subterm of ao, so a\ is as well. □ 

By working in a constructive metalogic, we are able to prove decidability of a judgment by 
proving an instance of the law of the excluded middle; the computational content of the 
proof then represents a decision procedure. 

Theorem 3.5 (Decidability of Substitution). Hereditary substitution is decidable. In par- 
ticular: 

(1) Given N , x Q , a , and R, either 3R'. [N /x ]™ R = R' , or flR' . [N /x ] T * R = R' , 

(2) Given N , x , a , and R, either 3(N f ,a'). [N /x Q ]™ R = (N',a'), or 
fi(N\a').[N /xo}ZR=(N',a'), 

(3) Given N , x , a , and N, either 3N' . [iV /x ]° N = N' , or fiN'. [N /x }* N = N' , 
and similarly for other syntactic categories. 

Proof. By lexicographic induction on the type subscript ao, the main subject of the sub- 
stitution judgment, and the clause number. For each applicable rule defining hereditary 
substitution, the premises are at a smaller type subscript, or if the same type subscript, 
then a smaller term, or if the same term, then an earlier clause. The case for rule subst- 
rn-/3 relies on Lemma 13.41 to know that 0.2 is a strict subterm of ao- Q 

Theorem 3.6 (Decidability of Subsorting). Given Q\ andQ2, either Q\ < Q2 or Qi ^ Q2. 

Proof. Since the subsorting relation Q\ < Q2 is just the reflexive, transitive closure of the 
declared subsorting relation s\ < S2, it suffices to compute this closure, check that the 
heads of Q± and Q2 are related by it, and ensure that all of the arguments of Qi and Q2 
are equal. □ 

We prove decidability of typing by exhibiting a deterministic algorithmic system that 
is equivalent to the original. Instead of synthesizing a single sort for an atomic term, the 
algorithmic system synthesizes an intersection- free list of sorts, A. 

A ::= ■ I A,Q \ A, Ilx::SnA. T 
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(As usual, we freely overload comma to mean list concatenation, as no ambiguity can 
result.) One can think of A as the intersection of all its elements. Instead of applying 
intersection eliminations, the algorithmic system eagerly breaks down intersections using a 
"split" operator, leading to a deterministic "minimal-synthesis" system. 

split(Q) = Q split (Si A S 2 ) = split (Si), split(S 2 ) 

split(rLr::ScA T) = Ux::SoA. T split(T) = • 

c::Se£ x::SnAeT fhfi^A r h A @ iV = A' 



r h c ^ spiit(s) r h x spiit(s) r h r n a' 

The rule for applications uses an auxiliary judgment r h A @ N = A' which computes the 
possible types of R N given that R synthesizes to all the sorts in A. It has two key rules: 

r h A @ iV = A' ThiV^S [N/xf A T = T' 

rh • @ JV = ■ r h (A,Ux::SrA.T) @N = A / ,split(T') 

The other rules force the judgment to be defined when neither of the above two rules apply. 

r h A @ iV = A' T[/ N rh A@N = A' fiT'. [N/x) s A T = T' 

T h (A,ILx::SrA.T) @ N = A' r h (A,Ux::SnA.T) @ N = A' 

r h A @ N = A' 



T h (A, Q) @ N = A' 

Finally, to tie everything together, we define a new checking judgment r h N ^ S that 
makes use of the algorithmic synthesis judgment; it looks just like r h N 4= S except for 
the rule for atomic terms. 

rh r^ A q'ga q' <q r, x-.-.snA h n ^ t 

r h R ^ Q r h Xx. N ^ Ux::S\zA.T 

rh-iv^Si r h n ^s 2 



r h- n ^ t rh-iv^SiASs 

This new algorithmic system is manifestly decidable: despite the negative conditions in 
some of the premises, the definitions of the judgments are well-founded by the ordering 
used in the following proof. (If we wished, we could also explicitly synthesize a definition 
of r h/ N ^ S, but it would not illuminate the algorithm any further.) 

Theorem 3.7. Algorithmic sort checking is decidable. In particular: 

(1) Given T and R, either 3A. T h R =»• A or fiA. T h R =»• A. 

(2) Given T, N, and S, either T\-N^SorT\/N^S. 

(3) Given F, A, and N, 3A'. T h A @ N = A'. 

Proof. By lexicographic induction on the term R or N, the clause number, and the sort S or 
the list of sorts A. For each applicable rule, the premises are either known to be decidable, 
or at a smaller term, or if the same term, then an earlier clause, or if the same clause, then 
either a smaller S or a smaller A. For clause O we must use our inductive hypothesis to 
argue that the rules cover all possibilities, and so a derivation always exists. □ 
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Note that the algorithmic synthesis system sometimes outputs an empty A even when the 
given term is ill- typed, since the r h A @ N = A' judgment is always defined. 

It is straightforward to show that the algorithm is sound and complete with respect to 
the original bidirectional system. 

Lemma 3.8. If Th R^ S, then for all S' G split (5), r h R S'. 

Proof. By induction on S, making use of the A-Ei and A-E2 rules. □ 

Theorem 3.9 (Soundness of Algorithmic Typing). 

(1) // r h R A, then for all S € A, T h R => S . 

(2) 7/ T h JV <= S, then T h N <= S. 

(3) //rhA§JV = A', and for all S £ A, T h 5 , toera/or a// 5' € A', r h i? Af 5'. 

Proof. By induction on the given derivation, using Lemma 13.81 □ 

For completeness, we use the notation A C A' to mean that A is a sublist of A'. 

Lemma 3.10. If T h A @ N = A' and T h R ^ A and Ux::S\zA. TeAandThN^S 
and [N/xf A T = T' , then split(T') C A'. 

Proof. By straightforward induction on the derivation of T h A @ A^ = A'. 

Theorem 3.11 (Completeness for Algorithmic Typing). 

(1) If T\- R=> S, then T h R ^ A and split(S) C A. 

(2) If T\- N S, then T\- N ^S. 

Proof. By straightforward induction on the given derivation. In the application case, we 
make use of the fact that T h A @ N = A' is always defined and apply Lemma 13.101 

Soundness, completeness, and decidability of the algorithmic system gives us a decision 
procedure for the judgment T h N ^ S. First, decidability tells us that either T \- N ^ S 
or T \f N S. Then soundness tells us that if T h N ^ S then T h N S, while 
completeness tells us that if T \f N ^ S then T \/ N <= S. 

Decidability theorems and proofs for other syntactic categories' formation judgments 
proceed similarly. When all is said and done, we have enough to show that the problem of 
sort checking an LFR signature is decidable. 

Theorem 3.12 (Decidability of Sort Checking). Sort checking is decidable. In particular: 

(1) Given V, N, and S, either ThN^SorT\/N^S, 

(2) Given T, S, and A, either T h S □ A or T \/ S C A, and 

(3) Given E, either h E sig or \f E sig. 

3.3. Identity and Substitution Principles. Since well-typed terms in our framework 
must be canonical, that is /3-normal and 77-long, it is non-trivial to prove S —?■ S for non- 
atomic S, or to compose proofs of Si — > S2 and S2 — > S3. The Identity and Substitution 
principles ensure that our type theory makes logical sense by demonstrating the reflexivity 
and transitivity of entailment. Reflexivity is witnessed by 77-expansion, while transitivity is 
witnessed by hereditary substitution. 
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The Identity principle effectively says that synthesizing (atomic) objects can be made 
to serve as checking (normal) objects. The Substitution principle dually says that checking 
objects may stand in for synthesizing assumptions, that is, variables. 

3.3.1. Substitution. The goal of this section is to give a careful proof of the following sub- 
stitution theorem. Suppose IY h Nq 4= So . Then: 

(1) If 

• h rL,x ::5o[Z^o,rR ctx , and 

• IY, xq::So\zAq, Tr h S C A , and 

• r L ,x ::S nA ,T R \- N ^ S , 
then 

• [N /x ]\ o Tr = T R and h r L ,T R ctx , and 

• [N /x ] s Ao S = S' and [Nq/xq]^ A = A' and T L ,T' R \~ S' H A' , and 

• [No/x }\ N = N' and T L ,T' R \~ N' <= S' , 

(2) If 

• h r L ,x ::5olZ>lo ) rR ctx and 

• r L , xo-S'olZAo, r R I- R => 5 , 
then 

• [iVo/xo]^ T R = T R and h T L ,r R ctx , and [-/Vo/^oIao 5 = ^' ' and eitner 

- [^o/^o]" R = R ' and r L' r R h # 5 ' > or 

- [iVb/so]^ # = «') and T L , T R h iV' 4= S' , 

and similarly for other syntactic categories. (Theorem 13.191 below.) 

To prove the substitution theorem, we require a lemma about how substitutions com- 
pose. The corresponding property for a ordinary non-hereditary substitution says that 
[Nq/xq] [N2/X2] N = [[Nq/xo] N2/X2] [No/xq] N. For hereditary substitutions, the situation 
is analogous, but we must be clear about which substitution instances we must assume to 
be defined and which we may conclude to be defined: If the three "inner" substitutions are 
defined, then the two "outer" ones are also defined, and equal. Note that the composition 
lemma is something like a diamond property; the notation below is meant to suggest this 
connection. 

Lemma 3.13 (Composition of Substitutions). Suppose [Nq/xo]^, N2 = N% and X2 
FV(iVo). Then: 

(1) If [N /x ]* N = N' and [iV 2 /x 2 ]° 2 N = N' , then for some N" , 
W" 2 /X2} n a2 N" = 7V V and iN /x }» Q N' = N" , 

(2) // [N /x }™ R = R S and [N 2 /x 2 ]™ 2 R = R' , then for some R v , 
W 2 /x 2 ]^ R' = R" and [N /x }^ R' = R)' , 

(3) // [iVo/xo]2o R = R' and [N 2 /x 2 ]™ R = (N',/3), then for some N" , 
[^2/^2]™ R y = (iV v ,/3) and [N /x }« N> = N v , 

(4) // [iVo/xo]™ R = (N\ (3) and [N 2 /x 2 ]^ R = R' , then for some N v ', 
[N\/X2]l 2 = and [N /x ]™ Rf = (N\ (3) , 

and similarly for other syntactic categories. 

Proof (sketch). By lexicographic induction on the unordered pair of ao and a 2 , and on the 
first substitution derivation in each clause. The cases for rule subst-rn-/3 in clauses [3] and 
H] appeal to the induction hypothesis at a smaller type using Lemma [3.4i The case in clause 
H] swaps the roles of ao an d a 2 , necessitating the unordered induction metric. 
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We also require a simple lemma about substitution into subsorting derivations: 

Lemma 3.14 (Substitution into Subsorting). If Qi < Q 2 and [Nq/xq]% Q± = Q\ and 
[N /x ]l Q 2 = Q' 2 , then Q{ < Q' 2 . 

Proof. Straightforward induction using Theorem 13.21 (Functionality of Substitution) , since 
the subsorting rules depend only on term equalities, and not on well-formedness. 

Next, we must state the substitution theorem in a form general enough to admit an 
inductive proof. Following previous work on canonical forms-based LF |WCPW02| IHL07] , 
we strengthen its statement to one that does not presuppose the well-formedness of the 
context or the classifying types, but instead merely presupposes that hereditary substitution 
is defined on them. We call this strengthened theorem "proto-substitution" and prove it in 
several parts. In order to capture the convention that we only sort-check well-typed terms, 
proto-substitution includes hypotheses about well-typedness of terms; these hypotheses use 
an erasure V* that transforms an LFR context into an LF context. 

•* = • (T,x::SnA)* = T\x:A 

The structure of the proof under this convention requires that we interleave the proof of the 
core LF proto-substitution theorem. Generally, reasoning related to core LF presuppositions 
is analogous to refinement-related reasoning and can be dealt with mostly orthogonally, but 
the presuppositions are necessary in certain cases. 
Theorem 3.15 (Proto-Substitution, terms). 

(1) H 

• r L h iV 4= S (and T* L h N <= A ) , and 

• r L ,x ::S \ZAo,T R h N ^= S (and T* L , x :A , T R h N <= A) , and 

• [No/xo] a r R = r R » and 

• [N /x f Ao S = & (and [N /x ]\ o A = A") , 
then 

• [N /x ]\ o N = N\ and 

• r L , r v R h n" <= s' (and ri, (r R y h n" <= A") . 

(2) // 

• T L h N <= S (and Tl h N <= A ) , and 

• r h ,x ::SonAo,r R h R =^ S (and Tl,x :Ao,T^ h R A) , and 
. [No/xo]\T R = r R , 

then 

• [No/x f Ao S = S" (and [No/x ]\ A = A x ), and 

• either 

~ Wo/xo] r I R = R S and 

- r L , r R h r' ^s" (and r* L , (r R )* h r} A"), 

or 

- [No/xoY£ R=(N\(AY) and 

- T L ,T R h N"^ S' (and T* L , (T R )* h N' <= A") . 

Note: We tacitly assume the implicit signature £ is well-formed. We do not tacitly assume 
that any of the contexts, sorts, or types are well-formed. We do tacitly assume that contexts 
respect the usual variable conventions in that bound variables are always fresh, both with 
respect to other variables bound in the same context and with respect to other free variables 
in terms outside the scope of the binding. 
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Proof (sketch). By lexicographic induction on (Aq) and the derivation T> hypothesizing 
x ::S rA . 

The most involved case is that for application R\ N-2. When head(i?i) = xq hereditary 
substitution carries out a /3-reduction, and the proof invokes the induction hypothesis at a 
smaller type but not a subderivation. This case also requires Lemma 13.131 (Composition): 
since function sorts are dependent, the typing rule for application carries out a substitution, 
and we need to compose this substitution with the [Nq/xo]^ substitution. 

In the case where we check a term at sort T, we require the core LF assumptions in 
order to invoke the core LF proto-substitution theorem. □ 

Next, we can prove analogous proto-substitution theorems for sorts/types and for class- 
es/kinds. 

Theorem 3.16 (Proto-Substitution, sorts and types). 

(1) If 

. T L h iV 4= S (and T* L h N <= A ) , 

• r h ,x ::S nA ,r R \- S C A (and Tl,xo.A ,T R \- A <= type) , and 

. [N /x ]l o r R = r R , 

then 

• [No/xoW S = S" (and [N /x }% A = A y ) , and 
. r L , T R hS"nA\ (and r L , (r R )* hi^ type; . 

(2) // 

. T L h N <= So (and T* L h N 4= A ) , 

• r L , x ::S \ZAo, T R h Q C P L (and TY-P=*K) , and 

. [N /x F Ao r R = r R , 

then 

• [N /x }\ Q = Q" (and [N /x ] p Ao P = P') , and 

• [No/xo]\ L = V (and [N /x ] k Ao K = K s ) , and 

• r L , r v R h Q'nP'^v (and r L , (p R )* hP^ ic) . 

Proof. By induction on the derivation hypothesizing xo'-'-So^zAo, using Theorem l3 . 1 5 1 (Proto- 
Substitution, terms). The reasoning is essentially the same as the reasoning for Theo- 
rem ETUI □ 

Theorem 3.17 (Proto-Substitution, classes and kinds). 
If 

. T L h N 4= So (and T* L h N 4= A ) , 

• r L , xq\:Sq\zAq, T R h L C K (and r£, x :A , T R h K <= kind ) , and 
. [N /x ]l o Tn = T R , 

then 

• Wo/x ] Aq L = L s (and [No/x ] k Ao K = K>), and 

• r L , T R h V C JC , (and T L , (r v R )* h K" <= kind ; . 

Proof. By induction on the derivation hypothesizing xq::Sq\zAq, using Theorem[3T6] (Proto- 
Substitution, sorts and types). □ 

Then, we can finish proto-substitution by proving a proto-substitution theorem for 
contexts. 
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Theorem 3.18 (Proto-Substitution, contexts). 
If 

• T L h N <= S (and r£ h N <= A ) , and 

• h Fl, xo--So\zAo ctx (and h r L , £o : A)) Tr ctxj , 
i/ien 

• [JVo/xo]^ Tr = T V R , and 

• h T L , T V R ctx (W h T L , (r R )* ctxj . 

Proof. Straightforward induction on Tr. □ 

Finally, we have enough obtain a proof of the desired substitution theorem. 
Theorem 3.19 (Substitution). Suppose IY h iVo ^= So • Then: 
(1) 

• h Tl, xo::5olZ^4o) Tr ctx , and 

• Tl, xo-S'oIZAo, Tr h 5 Z A , and 

• r L ,xo::5oC^o,r R h N 4= S , 
then 

• [No/xo]\ = T R and h TL,r R ctx , and 

• [iVo/zoko 5 = 5' and [N /x ]a A = A' and T l ,T'r \~ S' \Z A' , and 

• Wo/x }\ N = N' and F L , T' R \- N' <= S' , 
(2) // 

• h Tl, 2;o::5oC>lo, Tr ctx and 

• r h ,x ::S \zA , F R h R^ S , 
then 

• [Nq/xqW = an d ^ -^L'^R ctx > an d [No/xo\a S = S' , and either 

- [N /x°o}J o R = R' and T L , T' R h R' =$> S' , or 

- [No/xoYl R = (N\ a') and T L , T' R h N' <= S' , 
and similarly for other syntactic categories. 

Proof. Straightforward corollary of Proto-Substitution Theorems 13. 15[ 13.161 13.171 and 13. 181 

□ 

Having proven substitution, we henceforth tacitly assume that all subjects of a judgment 
are sufficiently well-formed for the judgment to make sense. In particular, we assume that 
all contexts are well-formed, and whenever we assume r h N S, we assume that for some 
well-formed type A, we have r h S Z A and T \- N 4= A. These assumptions embody our 
refinement restriction: we only sort-check a term if it is already well-typed and even then 
only at sorts that refine its type. 

Similarly, whenever we assume r h S Z A, we tacitly assume that T h A ■<= type, and 
whenever we assume r h L Z K, we tacitly assume that T h K <= kind. 

3.3.2. Identity. Just as we needed a composition lemma to prove the substitution theorem, 
in order to prove the identity theorem we need a lemma about how n-expansion commutes 
with substitution]! 



The categorically-minded reader might think of this as the right and left unit laws for o while thinking 
of the composition lemma above as the associativity of o, where o in the category represents substitution, 
as usual. 
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In stating this lemma, we require a judgment that predicts the simple type output of 
"rn" substitution. This judgment just computes the simple type as in "rn" substitution, 
but without computing anything having to do with substitution. Since it resembles a sort 
of "approximate typing judgment", we write it xo:ao h R : a. As with "rn" substitution, it 
is only defined when the head of R is xq. 

xo'.ao h R : a — > f3 
xo'.ao h xq : ao XQ-.ao h R N : /3 

Lemma 3.20. If [Nq/xq]^ R = (N', a') and xq:ol$ h R : a, then a' = a. 

Proof. Straightforward induction. □ 

Lemma 3.21 (Commutativity of Substitution and ^-expansion). Substitution commutes 
with i]-expansion. In particular: 

(1) (a) // [Va(x)/x]a N = N', then N = N' , 

(b) // [T] a (x)/x}™R = R', then R = R' , 

(c) // [ Va (x)/x]™R = (N,0), then Vfi (R) = N , 

(2) // [N /x ]l ri a (R) = N', then 

(a) if head(.R) ^ x , then [Nq/xq]^ R = R' and n a (R') = N' , 

(b) if head(i?) = xq and xo'.ao h R : a, then [No/xo]™ R = (N', a) , 
and similarly for other syntactic categories. 

Proof (sketch). By lexicographic induction on a and the given substitution derivation. The 
proofs of clauses [la] [Tbl and [lc] analyze the substitution derivation, while the proofs of 
clauses [2a] and [2b] analyze the simple type a at which R is r/-expanded. □ 

Note: By considering the variable being substituted for to be a bound variable subject to 
a-conversiorQ, we can see that our commutativity theorem is equivalent to an apparently 
more general one where the 77-expanded variable is not the same as the substituted-for 
variable. For example, in the case of clause (jlaj) . we would have that if [i]a(x)/y]a N = N', 
then [x/y] N = N'. We will freely make use of this fact in what follows when convenient. 

Theorem 3.22 (Expansion). // T h 5 C A and F h R =>• S, then V h n A {R) <= S. 

Proof (sketch). By induction on S. The Hx::S\\zAi. S2 case relies on Theorem 13.191 (Sub- 
stitution) to show that [iJA l (x)/x] s Ai S2 is defined and on Lemma 13.211 (Commutativity) to 
show that it is equal to S2. Q 

Theorem 3.23 (Identity). If T h 5 C A, then T,x::SnA h n A (x) <= S. 

Proof. Corollary of Theorem 13.221 (Expansion) . □ 



In other words, by reading [ATo/a;o]£ N = N' as something like subst^ (No, Xq.N) = N' , where xo is 
bound in N. 
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Si < s 2 



Si ^ So So 03 , , So Si T\ < To 
(refl) = ^ (trans) — =-z^± ~ (S-n) 



5<5 V 5i<5 3 v ' ILb::5i.Ti<ILc::5 2 .T: 



2 



T < S\ T <S 2 , 
(T-R) = (A-R) 



5 < T 7 T < 5i A 5 2 



Si <T S 2 <T t 

( A " L l) o : n Z rr, ( A " L 2 



5i A S 2 < T v ' Si A S 2 < T 
(T/II-dist) r — ? r — (A/n-dist) 



T<nx::5.T v ' ' (TLxr.S.Ti) A (Ux::S.T 2 ) < Flx::S. (T% A T 2 ) 

Figure 1: Derived rules for subsorting at higher sorts. 

4. Subsorting at Higher Sorts 

Our bidirectional typing discipline limits subsorting checks to a single rule, the switch rule 
when we switch modes from checking to synthesis. Since we insist on typing only canonical 
forms, this rule is limited to checking at atomic sorts Q, and consequently, subsorting need 
only be defined on atomic sorts. These observations naturally lead one to ask, what is the 
status of higher-sort subsorting in LFR? How do our intuitions about things like structural 
rules, variance, and distributivity — in particular, the rules shown in Figure [1] — fit into the 
LFR picture? 

It turns out that despite not explicitly including subsorting at higher sorts, LFR implic- 
itly includes an intrinsic notion of higher-sort subsorting through the ^-expansion associated 
with canonical forms. The simplest way of formulating this intrinsic notion is as a variant of 
the identity principle: S is taken to be a subsort of T if T, x::S\zA h tja{x) <= T. This notion 
is equivalent to a number of other alternate formulations, including a subsumption-based 
formulation and a substitution-based formulation. 

Theorem 4.1 (Alternate Formulations of Subsorting). Suppose that for some Fq, Fq h 
S\\Z A and Fq\- S 2 A, and define: 

(1) Si <i S 2 = for all T and R: if F h R => Si, then F h n A (R) <= S 2 . 

(2) Si < 2 S 2 = for all F: T,x::Si\zA h rj A (x) <= S 2 . 

(3) Si < 3 S 2 = for all F and N: if F h N <= Si, then F h N 4= S 2 . 

(4) Si < 4 S 2 = for all F L , F R , N, and S: if F L , x::S 2 nA, F R h N ^S 

then T L , xv.SiHA, r R hiV^5 

(5) Si < 5 S 2 = for all F L , F R , N, S, and Ni: if F L ,x::S 2 nA,F R h N 4= S and 
r L h Ni <= Si, then r L , [Ni/x}\ F R h [Ni/x]\ N 4= [Ni/x] s A S. 

Then, Si <g\S 2 Si <$S 2 ••• <^=> Si <g\S 2 . 

Proof. Using the identity and substitution principles along with Lemma 13.211 the commu- 
tativity of substitution with ^-expansion. 
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©: By rule, T,x::Si\zA h x 
©: Suppose V \- N <= Si. 



=► 5i. ByCEJ r,x::5iC^ h t/a(x) 
By El r,x::5iCA h VA (x) <= S 2 . 



s 2 . 

By Theorem 13.191 



(Substitution), T h [N/x] A n A (x) <= 62. By Lemma 13.211 (Commutativity). 

© => (@D: Suppose r L , i::5 2 Ci, T R h TV ^ S 1 . By weakening, r L , y::5iCA, x::S 2 nA, 
r R h AT 5. By Theorem EZ3] (Identity), r L ,y::SiC,4 h r) A (y) 4= Si. By 
El T^yr.SiCA h t/a(2/) 5 2 . By Theorem [3T9] (Substitution), r L ,|/::Sil=A 
[tU^/x^Ir h [^(y)/x]^iV [^(y)/x] s A 5. By Lemma EM (Commutativ- 
ity) and a-conversion, T^,x::Si\zA,Tn h N 4= S. 

H]) =>■ (JSJ): Suppose r L) x::S 2 l=A, r R h 2V 4= 5 and T L h iVi 4= Si. By H r L ,x::SiC,4, 
r R h TV 4= 5. By Theorem EM (Substitution), T L , [iVi/x]^r R h [JVi/ajfe JV <J= 
[JVi/xfrS. 



© ^ (H}: Suppose T\- R=>Si. By Theorem EM (Expansion), T h tm(-R) 4= Si. By The- 
orem EM (Identity) , T,x::S 2 nA h n A (x) <= S 2 . By El T h [^(i2)/x]^ ^(x) 4= 
S 2 . By Lemma T3.21I (Commutativity), T h tja{R) <= S 2 . □ 

If we take "subsorting as r/-expansion" to be our model of subsorting, we can show the 
"usual" presentation in Figure [U to be both sound and complete with respect to this model. 
In other words, subsorting as //-expansion really is subsorting (soundness), and it is no more 
than subsorting (completeness). Alternatively, we can say that completeness demonstrates 
that there are no subsorting rules missing from the usual declarative presentation: Figured] 
accounts for everything covered intrinsically by ^-expansion. By the end of this section, we 
will have shown both theorems: if S < T, then T,x::S\zA h T)a{ x ) T, and vice versa. 
Soundness is a straightforward inductive argument. 

Theorem 4.2 (Soundness of Declarative Subsorting). If S <T, thenT , x:\S\zA h r) A {x) <= 
T. 



Proof. By induction on the derivation of S < T. 
Theorem 14.11 are useful in many cases. 



The alternate formulations given by 

□ 



The proof of completeness is considerably more intricate. We demonstrate completeness via 
a detour through an algorithmic subsorting system very similar to the algorithmic typing 
system from Section 13.21 with judgments A ^ S and A @ x::AiC^4i = A 2 . To show 
completeness, we show that intrinsic subsorting implies algorithmic subsorting and that 
algorithmic subsorting implies declarative subsorting; the composition of these theorems is 
our desired completeness result. 

If T,x::SnA h n A (x) 4= T, then split(S) S T. (Theorem \4jE\ below.) 

If split(S) S T, then S <T. (Theorem 377] below.) 
The following schematic representation of soundness and completeness may help the reader 
to understand the key theorems. 



"declarative" 
S < T 



soundness 



completeness 



"intrinsic" 
T, x:\S\zA h rj A {x) 



T 



"algorithmic" 
split (S) S T 
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A < S 



A < 



Q'gA Q' < Q 



A S St A S 2 A S 

A @ x::split(5i)c^i = A 2 A 2 ^ S 2 
A | Ux-.-.SinAt. S 2 



A @ x::AiC^i = A 2 



A@a::AilZ^i = A 2 Ai S Si [VA, {x)/y\\ S 2 = S' 2 
{A^Uy.-.StHAt. S 2 ) @ x-.-.AtrAt = A 2 ,split(S 2 ) 

A @ x::A 1 nA l = A 2 A x % Si 



(A,ny::SiCAi.S 2 ) @rr::AiCAi = A 2 
A@x::A 1 nA 1 =A 2 fiS' 2 .[r] Al (x)/y} s Ai S 2 = S' 2 A @ x::A 1 nA 1 = A 2 



{^BynSinAv S 2 ) ® x::A 1 nA 1 = A 2 (A, Q) @ xr.A^Ax = A 2 

Figure 2: Algorithmic subsorting. 



As mentioned above, the algorithmic subsorting system system is characterized by two 
judgments: A ^ S and A @ x::A\\zAi = A 2 ; rules defining them are shown in Figure [2j 
As in Section 13.21 A represents an intersection-free list of sorts. The interpretation of the 
judgment A ^ S, made precise below, is roughly that the intersection of all the sorts in A 
is a subsort of the sort S. 

The rule for checking whether A is a subsort of a function type makes use of the appli- 
cation judgment A @ x::Ai\zA\ = A 2 to extract all of the applicable function codomains 
from the list A. As in Section 13.21 care is taken to ensure that this latter judgment is 
defined even in seemingly "impossible" scenarios that well-formedness preconditions would 
rule out, like A containing atomic sorts or hereditary substitution being undefined. 

Our first task is to demonstrate that the algorithm has the interpretation alluded to 
above. To that end, we define an operator f\(— ) that transforms a list A into a sort S by 
"folding" A over A with unit T. 

/\(-) = /\(A,S) = /\(A)AS 

Now our goal is to demonstrate that if the algorithm says A ^ S, then declaratively 
/\(A) < S. First, we prove some useful properties of the /\(— ) operator. 



Lemma 4.3. A(Ai) A A(A 2 ) < A(^i, A 2 ) 
Proof. Straightforward induction on A 2 . 
Lemma 4.4. S < f\(split(S)) . 



□ 



Proof. Straightforward induction on S. 



□ 
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5i<Ti S 2 <T 2 

(S-A) ; (A-assoc) 

Si A S 2 < Ti A T 2 v ; S\ A (5 2 A 5 3 ) < (5i A 5 2 ) A 5 3 V ' 

S <Ux::Ti.T 2 T\ < Si 
S A Ux::Si. S 2 < Ux::Ti. (T 2 A S 2 ) t A / n - dlst > 

Figure 3: Useful rules derivable from those in Figure [TJ 

Lemma 4.5. If Q' £ A and Q' < Q, then f\(A) < Q. 

Proof. Straightforward induction on A. □ 
Theorem 4.6 (Generalized Algorithmic =>• Declarative). 

(1) If Vr.A^T, then /\(A) < T. 

(2) If V::A@ x::Ai^Ai = A 2 , then f\(A) < Tlx:: /\(Ai)cAi. A( A 2)- 

Proof (sketch). By induction on P, using Lemmas 14, 3| I4.4t and 14.51 The derivable rules 
from Figure [3] come in handy in the proof of clause EJ □ 

Theorem [46] is sufficient to prove that algorithmic subsorting implies declarative subsorting. 

Theorem 4.7 (Algorithmic => Declarative). // split (5) ^ T, then S <T. 

Proof. Suppose split (S) < T. Then, 

A(split(5)) <T By Theorem 



S < A(spHt(5)) By Lemma[ 

S < T By rule trans. □ 

Now it remains only to show that intrinsic subsorting implies algorithmic. To do so, we 
require some lemmas. First, we extend our notion of a sort S refining a type A to an entire 
list of sorts A refining a type A in the obvious way. 

rhAci r h s nA 



T\--nA Th(A,S)nA 
This new notion has the following important properties. 
Lemma 4.8. // T h Ai C A and T \- A 2 n A, then V \- Ai, A 2 C A. 

Proof. Straightforward induction on A 2 . □ 
Lemma 4.9. If T h S C A, then T h split(5) C A. 

Proof. Straightforward induction on S. □ 

Lemma 4.10. //£>:: T h A c ILbiAi. A 2 and f :: T h A @ TV = A 2 and [N/xf M A 2 = A' 2 , 
then r h A 2 C A' 2 . 

Proof (sketch). By induction on g , using Theorem 13.91 (Soundness of Algorithmic Typing) 
to appeal to Theorem 13.191 (Substitution), along with Lemmas 14.81 and 14.91 
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We will also require an analogue of subsumption for our algorithmic typing system, 
which relies on two lemmas about lists of sorts. 

Lemma 4.11. //ThAci, then for all S € A, T h S C A. 

Proof. Straightforward induction on A. □ 
Lemma 4.12. If for all S G A, T h N 4= S , then T h N <= /\(A). 

Proof. Straightforward induction on A. □ 

Theorem 4.13 (Algorithmic Subsumption). // T h R ^ A and T h A \Z A and A ^ S, 

then T h r] A (R) ^ 5. 

Proof. Straightforward deduction, using soundness and completeness of algorithmic typing. 

VS" € A. T h S" By Theorem ED (Soundness of Alg. Typing). 

VS" eA.TI-S'ci By LemmaSUl 

VS' € A. T h 7] A {R) <= S' By Theorem E22 (Expansion), 

r h 7/ A (i2) A (A) By Lemma HjjZJ 

A 5^ S By assumption. 

A(A) < 5 By Theorem [46] (Generalized Alg. Decl.). 

T h t]a(R) •<= 5 By Theorem 14.21 (Soundness of Decl. Subsorting) and 

Theorem 14.11 (Alternate Formulations of Subsorting). 
T h t]a(R) ^ S By Theorem 13.111 (Completeness of Alg. Typing). □ 



Now we can prove the following main theorem, which generalizes our desired "Intrinsic 
Algorithmic" theorem: 

Theorem 4.14 (Generalized Intrinsic => Algorithmic). 

(1) // T h R ee> A and £ :: T h ^(i?) ^ S and T h A C ^4 and T \- S \Z A, then A ^ 5. 

(2) 1/ T h x ^ Ai and £ :: V h A @ ^(x) = A 2 and V h Ai C A 1 and V h A □ 
IIrc:Ai. i/ien A @ x::Ai\zA 1 = A 2 . 

Proof (sketch). By induction on .A, 5, and £. 

Clause [1] is most easily proved by case analyzing the sort S and applying inversion to 
the derivation £. The case when S = Ilx::SilzAi. S2 appeals to the induction hypothesis at 
an unrelated derivation but at a smaller type, and Lemmas 14.81 and 14.91 are used to satisfy 
the preconditions of the induction hypotheses. 

Clause[2]is most easily proved by case analyzing the derivation £. In one case, we require 
the contrapositive of Theorem 14.131 (Algorithmic Subsumption) to convert a derivation of 
r \f t]a 1 (x) ^ Si into a derivation of Ai % S\. 

□ 

Theorem 14. 141 along with Theorem l3.11l the Completeness of Algorithmic Typing, gives 
us our desired result: 

Theorem 4.15 (Intrinsic => Algorithmic). // T,x::SnA h r]A{x) <= T, then split(S) ^ T. 



Proof. Suppose T,x::S\zA h t]a{x) <^= T. Then, 
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r, x::S\zA hi^ split (S") By rule. 
T,x::S\zA h t]a(x) ^ T By Theorem 13.111 (Completeness of Alg. Typing), 

split (S) ^ T By Theorem SH □ 

Finally, we have completeness as a simple corollary: 

Theorem 4.16 (Completeness of Declarative Subsorting). If T,x::S\zA h t]a(x) <= T, 
then S <T. 

Proof. Corollary of Theorems 14.151 and 14.71 □ 



5. Proof Irrelevance 

When constructive type theory is used as a foundation for verified functional programming, 
we notice that many parts of proofs are computationally irrelevant, that is, their structure 
does not affect the returned value we are interested in. The role of these proofs is only 
to guarantee that the returned value satisfies the desired specification. For example, from 
a proof of \/x:A. 3y:B. C(x,y) we may choose to extract a function / : A — >■ B such that 
C(x,f(x)) holds for every x:A, but ignore the proof that this is the case. The proof must 
be present, but its identity is irrelevant. Proof-checking in this scenario has to ascertain 
that such a proof is indeed not needed to compute the relevant result. 

A similar issue arises when a type theory such as A n is used as a logical framework. 
For example, assume we would like to have an adequate representation of prime numbers, 
that is, to have a bijection between prime numbers p and closed terms M : primenum. 
It is relatively easy to define a type family prime : not — > type such that there exists a 
closed M : prime N if and only if N is prime. Then primenum = T*n:nat. prime n is a 
candidate (with members (N,M)), but it is not actually in bijective correspondence with 
prime numbers unless the proof M that a number is prime is always unique. Again, we 
need the existence of M, but would like to ignore its identity. This can be achieved with 
subset types |C + 86[ ISS88] {x:nat \ prime(x)} whose members are just the prime numbers 
p, but if the restricting predicate is undecidable then type-checking would be undecidable, 
which is not acceptable for a logical framework. 

For LF, we further note that E is not available as a type constructor, so we instead 
introduce a new type primenum with exactly one constructor, primenum/ i: 

primenum : type. 

primenum/ i : HN:nat. prime N -j> primenum. 

Here the second arrow -j> represents a function that ignores the identity of its argument. 
The inhabitants of primenum, all of the form primenum/ i N [M], are now in bijective 
correspondence with prime numbers since primenum/ i N [M] = primenum/ i N [M'\ for all 
M and M' . 

In the extension of LF with proof irrelevance [PfeOlal IRP08] . or LFI, we have a new 
form of hypothesis x^-A (x has type A, but the identity of x should be irrelevant). In 
the non-dependent case (the only one important for the purposes of this paper), such an 
assumption is introduced by a A-abstraction: 

T, x+A h M <= B 

r h Xx.M <= A^ B ' 
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We can use such variables only in places where their identity doesn't matter, e.g., in the 
second argument to the constructor primenum/ i in the prime number example. More 
generally, we can only use it in arguments to constructor functions that do not care about 
the identity of their argument: 

r h A -=> B r® h N <= A 



r h R [N] B 

Here, r® is the promotion operator which converts any assumption x^-A to x:A, thereby 
making x usable in N. Note that there is no direct way to use an assumption x-i-A. 

The underlying definitional equality "=" (usually just a-conversion on canonical forms) 
is extended so that R [N] = R' [N 1 ] if R = R', no matter what N and N' are. 

The substitution principle (shown here only in its simplest, non-dependent form) cap- 
tures the proper typing as well as the irrelevance of assumptions x^-A: 

Principle 5.1 (Irrelevant Substitution). If T,x+A h N <= B and V® h M <= A then 
T h [M/x] N <t= B and [M/x] N = N (under definitional equality). 

One typical use of proof irrelevance in type theory is to render the typechecking of 
subset types [C + 86[ ISS88] decidable. A subset type {x:A \ B(x)} represents the set of 



terms of type A which also satisfy B; typechecking is undecidable because to determine if a 
term M has this type, you must search for a proof of B{M). One might attempt to recover 
decidability by using a dependent sum T,x:A. B(x), representing the set of terms M of type 
A paired with proofs of B(M); typechecking is decidable, since a proof of B(M) is provided, 
but equality of terms is overly fine-grained: if there are two proofs of B(M), the two pairs 
will be considered unequal. Using proof irrelevance, one can find a middle ground with the 
type Ex: A [2?(x)], where [— ] represents the proof irrelevance modality. Type checking is 
decidable for such terms, since a proof of the property B is always given, but the identity 
of that proof is ignored, so all pairs with the same first component will be considered equal. 

Our situation with the subset interpretation is similar: we would like to represent proofs 
of sort-checking judgments without depending on the identities of those proofs. By carefully 
using proof irrelevance to hide the identities of sort-checking proofs, we are able to make a 
translation that is sound and complete, preserving the adequacy of representations. 



6. Interpretation 



6.1. Overview. We interpret LFR into LFI by representing sorts as predicates and deriva- 
tions of sorting as proofs of those predicates. In this section, we endeavor to explain our 
general translation by way of examples of it in action. The translation is derivation-directed 
and compositional: for each judgment T h J , there is a corresponding judgment T h J ~> X 
whose rules mimic the rules of V h J . The syntactic class of X and its precise interpretation 
vary from judgment to judgment. For reference, the various forms are listed in Table El but 
we will explain them in turn as they arise in our examples. 

Recall our simplest example of refinement types: the natural numbers, where the even 
and odd numbers are isolated as refinements. 

not : type. 
z : nat. 

s : nat — > nat. 
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Judgment: 


Result: 


rhLcK f ^ m L f (-) 

K P Z d Kj-, -) 

P V 9 / 

# -4 £„(-, -,-,-,-) 


Type of proofs of the formation family 

Kind of the predicate family 

Type of coercions between families of kind K 


r u Ci— A ~> Q( — \ 

11 (J 1 - i O I 1 


1V-LC LfXl U.11L L1U11 I GUI CoCIlLlIl^ Ul CLLll^ClttJ 

Proof that Q is well-formed 


r h iV N 


Proof that N has sort S 
Proof that R has sort S 


rhQi< Q 2 ^_£( - , - ) 
Qi < Q2 ~* Q^Q 2 


Metacoercion from proofs of Qi to proofs of Q2 
Coercion from proofs of Q\ to proofs of Q2 


h r ctx ^> r 

h £ sig~> s 


Translated context 
Translated signature 


Table 2: 


Judgments of the translation. 



even C not. 
odd C rcai. 
z :: ewen. 

s :: even — > odd A odd — > even. 

As described in the introduction, our translation represents even and odd as predicates 
on natural numbers, and the refinement declarations for z and s become declarations for 
constants for constructing proofs of those predicates. 

even : nab — > type. 
odd : not — > type. 

3 : even z. 

si : ilx: naf. even x — > odd (si). 
S2 : Hx:nat. odd x — > even (si). 

Starting simple, the proof constructor declaration for 3 can be read as an assertion that the 
constant z satisfies a certain predicate, namely that of being even. 

In fact, every sort S will have a representation as a predicate, not just the base sorts like 
even and odd. Generally, a predicate is just a type with a hole for a term; conventionally, 
we write the predicate representation of S as a meta-level function S(-), and we say that 
a term N satisfies such a predicate if the type S(N) is inhabited. Predicates will be the 
output of the sort translation judgment, r h S C A ^ S, which mirrors the sort formation 
judgment, adding a translation as an output. 

For example, the predicate corresponding to the sort even — > odd is the meta-function 
(Hx:nat. even x — > odd (( — ) x)), and we see this predicate applied to the successor constant 
s in the type of the proof constructor . Thus the proof constructor declaration for "si can 
also be read as an assertion: the constant s satisfies the predicate that, when applied to an 
even natural number, it yields an odd one. 
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Our analysis suggests a general strategy for translating a refinement type declaration: 
translate its sort into a predicate, and yield a declaration of a proof constructor asserting 
that the predicate holds of the original constant. 

h S, c::S sig ~> E, c:S(n A (c)) 

As a reflection of the fact that in general these predicates may be applied to arbitrary terms, 
not just atomic ones, we fully 77-expand the constant before applying the predicate. 

How do arrow sorts like even —¥ odd translate in general? Recall that S — > T is just 
shorthand for the dependent function sort Uxr.S. T when x does not occur in T. The general 
rule for translating dependent function sorts is: 

ThSnA^S T^x-.-.SnAhTnB^f 

T h TLx::S\zA. T C Ux:A. B ~> XN. Ux:A. n.x:S(r) A (x)).T(N@x) 

There are two points of note in this rule. First, writing predicates as types with holes be- 
comes cumbersome, so we instead write metafunctions explicitly using meta- level abstrac- 
tion, written as a bold A; we continue to write meta-level application using bold (parens). 
Second, since as we noted above, the term argument of a predicate is in general a canonical 
term, and canonical terms may not appear in application position, we appeal to an auxiliary 
judgment that applies a canonical term to an atomic one, N@R. It is defined by the single 
clause, 

{Xx.N)@R= [R/x] N, 

where the right-hand side is an ordinary non-hereditary substitution. Now we can read the 
translation output as the predicate of a term N which holds if there is a function from 
objects x : A satisfying predicate S to proofs that N applied to x satisfies predicate T. 

But what about the fact that s only had one declaration in the original signature, 
but there are two proof constructor declarations asserting predicates that hold of it? For 
compositionality's sake, we would like to translate the single refinement declaration for s 
into a single proof constructor declaration, but one that can effectively serve the roles of 
both si and «2- To this end, we use a product type. 

"? : (Ux:nat. even x — > odd (si)) 
x (Ilx: nat. odd x — > even {s x)). 

Now 7Tj "s may be used anywhere % was used before. Generally, an intersection sort will 
translate to a conjunction of predicates, represented as a type-theoretic product. Similarly, 
the miliary intersection T will translate to a unit type0 

ThS 1 nA^sl ThS 2 nA^S2,^ 

— — (A-F) (T-F) 

r h Si A S 2 C A ~» XN. 5i(AT) x S 2 (N) T \~ T C A ~> XN. 1 

What kinds of proofs inhabit these predicates? Such proofs are the output of the term 
translation judgment r h iV 4= S N, which mirrors the sort checking judgment, adding 
a translation as an output. Generally, a derivation that a term TV has sort S will translate 



Strictly speaking, this means our translation targets an extension of LFI with product and unit types. 
Such an extension is orthogonal to the addition of proof irrelevance, and has been studied by many people 
over the years, including Schiirmann |Sch03| and Sarkar [Sar09] , Alternatively, products may be eliminated 
after translation by a simple currying transformation, but that is beyond the scope of this article. 
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to a proof N that the predicate S holds of N (where S is as usual the interpretation of S as 
a predicate), or symbolically, if S C A ~» 5 and N <= S N, then iV 4= S(N) — ignoring 
for a moment the question of what happens to the contexts. This expectation begins to 
hint at the soundness theorem we will demonstrate below, but for now we will use it just 
to guide our intuitions. 

For example, since an intersection sort is represented by a product of predicates, we 
should expect that a term judged to have an intersection sort should translate to a proof of 
a product, or a pair. Similarly, since the sort T translates to a trivially true unit predicate, 
a term judged to have sort T should translate to a trivial unit element. 

r h n ^ 5i ^ ivi r h n ^s 2 ^n~ 2 , x 

= — — (A-I) (T-I 

r h N <= St A s 2 ~» {m, n 2 ) r h N 4= T ~> (} 

Intuitively, knowing that a term has an intersection sort Si A 52 gives us two pieces of in- 
formation about it, while knowing that a term has sort T tells us nothing new. This aspect 
of our translation is similar in spirit to Liquori and Ronchi Delia Rocca's [LRDR07] . a 
Church-style type system for intersections in which derivations are explicitly represented as 
proofs and intersections as products, though in their setting the proofs are viewed as part 
of a program rather than the output of a translation. 

We can similarly intuit the appropriate proof for an implication predicate by examining 
the rule for translating Uxr.S. T above. We start from the sort-checking rule II-I, which 
shows that a term Xx.N has sort Ux::S.T. To prove that the corresponding II predicate 
holds of Ax. N, we will have to produce a function taking an object x of type A and a proof 
that x satisfies S and yielding a proof that (Ax. N)@x = [x/x] N = N satisfies T. This is 
easily done: the translation of the body N is precisely the proof we require about N, and 
we wrap this in two A-abstractions to get a proof of the II predicate. 

T,x::S\zA h N 4= N 

r h Ax. N <= Ux::SnA. T ~> Ax. Ax. N 

Careful examination of the II-I rule reveals a subtlety: it is clear from our understanding 
of the sort-checking part of the rule that the free variables of iV and T may include x, but 
we seem to have indicated by our A-abstraction that the proof N may depend not only on 
the variable x, but also on a variable x. Where did this second variable come from? 

The answer — as hinted above — is that we have not yet specified with respect to what 
context the translation of a term is to be interpreted. This context should in fact be the 
translation of the context V associated with the original term N, and by convention we write 
it as r. The judgment translating contexts is an annotated version of the context-formation 
judgment, written h T ctx T. 

hrctx->f Th S nA^S 

h • ctx~> • h T, x::S\zA ctx ~> P, x:A, x:S(rj A (x)) 

The second rule is quite similar to the translation rule we have seen for signature declarations 
c:A: each declaration x:\S\ZA splits into a typing declaration x:A and a proof declaration 
x:S{t]a{x)). Now it is easily seen why the proof ./V in the translation rule II-I may depend 
on x: our soundness criterion will tell us that T,x:A,x:S(t]a{x)) hAf<^ T(N). 

There is just one sort checking rule remaining: the switch rule for checking an atomic 
term at a base sort. This rule appeals to subsorting, so we postpone discussion of it until 
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T ^ T R+ ^ S- ^ R~ 



cSeS , x-.-.SnAeT , 

(const) — (var) 



(n-E) 



rhc^>5-^c r h x =>■ s ~> x 

r h Rx Ux::S 2 \zA 2 . S ~> R± r h iV 2 5 2 ~f A2 [N 2 /x] B Aa S = S' 
ThR 1 N 2 ^S'^R 1 N 2 N 2 

FhR^S 1 AS 2 ^R / ThR^S 1 AS 2 ^R, 

^ (A-Ei — A-E 2 

r h R^ Si-^^R r h R^ S 2 ^tt 2 R 

Figure 4: Translation rules for atomic term sort synthesis 

we discuss the translation of subsorting judgments in Section f6. 31 For now, the reader may 
think of the rule as simply returning the result of the sort synthesis translation judgment, 
r h R =>■ S ~> R. At the base cases, this judgment returns the hatted proof constants c 
and variables x we have seen in the translations of signature declarations and contexts. The 
other rules correspond to elimination forms, and they follow straightforwardly by the same 
intuitions we used to derive the introduction rules in the sort checking translation. All the 
rules for this judgment are shown in Figure [H 

There is also just one sort formation rule remaining: the rule for translating base sorts 
Q. Although this translation seems straightforward in the case of simple sorts like even 
and odd, it is rather subtle when it comes to dependent sort families due to a problem of 
coherence. To explain, we return to another early example, the doubling relation on natural 
numbers. 



6.2. Dependent Base Sorts. Recall the double relation defined as a type family in LF: 

double : nat — > not — > type. 
dblj z : double z z. 

dbl/s : UN:nat. IiN2:nat. double N N2 -t double (s N) (s (s N2)). 

As we saw earlier, we can use LFR refinement kinds, or classes, to express and enforce the 
property that the second subject of any doubling relation is always even, no matter what 
properties hold of the first subject. To do so we define a sort double* which is isomorphic 
to double, but has a more precise class@ 

double* C double :: T — > even — > sort. 
dbl/z :: double* z z. 

dbl/s :: TLNr.T. UN2::even. double* N N2 -> double* (s N) (s (s N2)). 

Successfully sort-checking the declarations for dbl/z and dbl/s demonstrates that whenever 
double* M N is inhabited, the second argument, N, is even. 



Earlier, we used the name double for both the type family and the sort family refining it, but in what 
follows it will be important to distinguish the two. 
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There is a crucial difference between refinements like even or odd and refinements like 
double*: while even and odd denote particular subsets of the natural numbers, the inhabi- 
tants of the refinement double* M N are identical to those of the ordinary type double M N. 
What is important is not whether a particular instance double* M N is inhabited, but rather 
whether it is well-formed at all. 

For this reason, we separate the formation of a dependent refinement type family from 
its inhabitation. Simple sorts like even and odd are always well-formed, but we would like 
a way to explicitly represent the formation of an indexed sort like double* M N. Therefore, 
we translate double* into two parts: a formation family, written double*, and a predicate 
family, written using the original name of the sort, double*. 

There are two declarations involving the formation family. First, the declaration of the 
formation family itself: 

double* : not — > not — > type. 
The formation family has the same kind as the original refined type. Intuitively, the forma- 
tion family double* M N should be inhabited whenever the sort double* M N would have 
been a well-formed sort pre-translation. For example, double* z z will be inhabited, since 
double* z z was a well- formed sort. 

Next, we have a constructor for the formation family: 

double*/ i : Tlx:nat. Hy-.nat. even y — > double* x y. 

The constructor takes all the arguments to double* along with evidence that they have the 
appropriate sorts and yields a member of the formation family, i.e. a proof that double* 
applied to those arguments was well- formed pre-translation. For example, double* ji z z zis 
a proof that double* z z was well-formed, since it contains the necessary evidence: a proof 
that the second argument z is even. 

Finally, we have a declaration for the predicate family itself: 

double* : Ux:nat. Tly-.nat. double* x y -f> double x y — > type. 

For any M and N, the predicate family will be inhabited by proofs that derivations of 
double M N have the refinement double* M N, provided that double* M N is well- formed in 
the first place. In our doubling example, all derivations of double M N satisfy the refinement 
double* M N, so the predicate family will have one inhabitant for each of them. As before, 
these inhabitants come from the translation of the refinement declarations for dbl/z and 
dbl/s. Writing arguments in irrelevant position in [ square brackets ], we get: 

dbl/z : double* z z 

[ double*/ i z z^z] 
dbl/z. 

dbl/s : UN:nat. UN2:nat. UN2:even N2. UD:double N N2. 

double* N N2 [ double*/ i NN2N2) D 
-> double* (s N) (s (s N2)) 

[ double*/ i (s N) (s (s N2)) (s 2 (s N2) (% N2 N2)) ] 
(dbl/s N N2 D). 
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As is evident even from this short and abbreviated example, the interpretation leads to a 
significant blowup in the size and complexity of a signature, underscoring the importance 
of a primitive understanding of refinement types. 

Note that in the declaration of the predicate family double*, the proof of well-formedness 
is made irrelevant using a proof-irrelevant function space A -j> B, representing functions 
from A to B that are insensitive to the identity of their argument. Using irrelevance ensures 
that a given sort has a unique translation, up to equivalence. We elaborate on this below. 

Generalizing from the above example, a sort declaration translates into three declara- 
tions: one for the formation family, one for the proof constructor for the formation family, 
and one for the predicate family. 

h S sig ~» S a:K G S •h E Lci( f ™L [ K P ^ d K p 
h S, sCa::L sig ~> S, siif, s/i:Lf(s), s:K~ p (s, a) 

in _^ ^ form — 

The class formation judgment r h L C ]f ~> Lf yields a metafunction describing the type 

prcd — 

of proofs of formation family, while an auxiliary kind translation judgment K ~» X p yields 
a metafunction describing the kind of the predicate family. As in the example, the kind of 
the formation family is the same as the kind of the refined type, K. 

The metafunction Lf takes as input the formation family so far, initially just s". The 
translation of II classes adds an argument, and the base case returns the formation family 
so constructed. 

ThSnA^S T,x::S\zA\- LnK*%*L 
r h Uxr.SnA. L C Ux:A. K AQ f . Ux:A. Ux:S(tia{x)).L(Q{ va(x)) 



1 — i i form x „ 

I h sort C type ~> AQf. Qf 

Employing a similar trick as we did with intersection sorts, we will translate intersection 
and T classes to unit and product types. 

T-i i t form <~~ . form <~~ 

r h Li C K ^ L\ V \- L 2 n K ^ L 2 



rhLiM 2 c^ f " m AQf. Li(Qf) x L 2 (Qf) rhT:]f f ™ AQf. 1 

Intersection classes give multiple ways for a sort to be well-formed, and a product of for- 
mation families gives multiple ways to project out a proof of well-formedness. 

The metafunction K p takes two arguments: one for the formation family so far (initially 
s) and one for the refined type so far (initially a). The rule for II kinds just adds an argument 
to each: 

pred £> 



Ux:A. K P ^ d A(Q f , P). Ux:A. K(Qf r] A (x), P r, A {x)) 
while the translation is really characterized by its behavior on the base kind, type: 



type P ^ A(Q f , P). Q f -=> P -> type 
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rh s Q + cP^r^ q- 



s\Za::L £ £ 
r h s C a L ^■'s/i 

ThQ^P^-Ux::S^A.L^Q ThN^S^N [N/x] l A L = L f 
ThQNnPN^L'^QNN 

ThQnP^L 1 AL 2 ^Q FhQnP^L 1 AL 2 ^Q 
ThQlzP^Li^vriQ T\- Q n P ^ L 2 ^ tt 2 Q 



Figure 5: Translation rules for base sort class synthesis 

The kind of the predicate family for a base sort Q refining P is essentially a one-place 
judgment on terms of type P, along with an irrelevant argument belonging to the formation 
family of Q. 

Finally, we are able to make sense of the rule for translating base sorts: 

rhQcP'^L^Q P' = P L = sort 

(Q-F) 

r h Q C P ~» XN. Q [Q] N 

The class synthesis translation judgment T\-Q\zP=^L^Q (similar to the sort synthesis 
judgment; see Figured]) yields a proof of Q's formation family; thus the predicate for a base 
sort Q, given an argument N, is simply the predicate family Q applied to an irrelevant 
proof Q that Q is well-formed and the argument itself, N. 

What if we hadn't made the proofs of formation irrelevant? Then if there were more 
than one proof that Q were well-formed, a soundness problem would arise. To see how, let 
us return to the doubling example. Imagine extending our encoding of natural numbers 
with a sort distinguishing zero as a refinement. 

zero (Z nat. 

z :: even A zero. 

As with even and odd, the sort zero turns into a predicate. Now that z has two sorts, it 
translates to two proof constructors Ej 

zero : nat — > type. 
% : even z. 
^2 : zero z. 

Next, we can observe that zero always doubles to itself and augment the declaration of 
double* using an intersection class: 

-^For the sake of simplicity, we will continue our example with the slightly unfaithful assumptions we've 
been making all along. Strictly speaking, zero should also have a formation family with a single trivial 
member, and the two declarations a and H2 should be one declaration of product type. The point we wish 
to make will be the same nonetheless. 
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double* (Z double :: T — > even — > sort 

A zero — > zero — > sort. 

After translation, since there are potentially two ways for double* x y to be well- formed, 
there are two introduction constants for the formation family. 

double* I i\ : Ux:nat. Hy:nat. even y — > double* x y. 
double* I %2 ■ Hx:nat. zero x —¥ Hy.nat. zero y — s> double* x y. 

The declarations for double* end double* remain the same. 
Now recall the refinement declaration for doubling zero, 

dbl/z :: double* z z , 

and observe that it is valid for two reasons, since double* z z is well- formed for two reasons. 
Consequently, after translation, there will be two proofs inhabiting the formation family 

double* z z, but only one of them will be used in the translation of the dbl/z declaration. 
Supposing it is the first one, we'll have 

dbl/z : double* z z [ double* ji\ z z\] dbl/z , 

but our soundness criterion will still require that the constant dbl/z check at the type 

double* z z [ double*/ 12 222 222 ] dbl/z, the other possibility. The apparent mismatch is 
resolved by the fact that the formation proofs are irrelevant, and so the two types are 
considered equal. Without proof irrelevance, the two types would be distinct and we would 
have a counterexample to the soundness theorem (Theorem 16. we prove below. 



6.3. Subsorting. We now return to the question of how the translation handles subsorting. 
Recall that an LFR signature can include subsorting declarations between sort family con- 
stants, si<S2- For instance, continuing with our running example of the natural numbers, 
we might note that any not that is zero is even by declaring: 

zero < even. 

Such a declaration may seem redundant, since the only thing declared to have sort zero 
has already been declared to have sort even, but it may be necessary given the inherently 
open-ended nature of an LF signature. We may find ourselves later in a situation where we 
have a new hypothesis x : zero, and without the inclusion, we would not be able to conclude 
that x : even. For example the derivation of • h Ax. x -4= zero — > even requires the inclusion 
to satisfy the second premise of the switch rule. 

zero<even € £ 

1 var = 

x:zero hi^> zero zero < even 
i switch 

x:zero hi<i= even 

-r- * n-i 

• h Ax. x -<= zero — > even 

How should we translate that derivation into a proof? As we saw earlier, the representation 
of zero — > even as a predicate is XN. Tlx:nat. zero x — > even (N @ x), and applying this 
predicate to Ax. x yields the type we need the proof to have: Ux:nat. zero x — > even x. It is 
not much of a leap of the imagination to see that one solution is simply to posit a constant 
of the appropriate type: 

zero- even : Tlx:nat. zero x —> even x. 



REFINEMENT TYPES FOR LOGICAL FRAMEWORKS 35 



Now the translation of Xx. x ■<= zero — > even can be simply the 77-expansion of this constant: 
Xx. Xx. zero-even x x. This makes intuitive sense: the constant zero- even witnesses the 
meaning of the declaration zero < even under the subset interpretation. 

Our example leads us to a rule: a subsorting declaration si<s 2 will will translate into 
a declaration for a coercion constant si-s 2 . 

hEsig-^E s\\Za::L G E s 2 Ca::i £ S a:K G E K ^> K s 
h E, si<s 2 sig ~> E, si-s 2 :K s (a, si, s x , s^, s 2 ) 

The auxiliary judgment K K s yields a metafunction describing the type of proof coer- 
cions between sorts that refine a type family of kind K. The metafunction K s takes five 
arguments: the refined type, the formation family and predicate family for the domain 
of the coercion, and the formation family and predicate family for the codomain of the 
coercion. As before, the II translation adds an argument to each of the meta-arguments. 

k£> K 

Ux:A. K ^ A(P, Q 1{ , Q u Q 2f , Q 2 ). lis: A K(P', Q^, Qi , Q 2 f , Q 2 ) 

(where, for each P, P = P t]a(%)) 

At the base kind type, the rule outputs the type of the coercion: 

type ^\(P,Q 1{ ,Q 1 ,Q 2{ ,Q 2 ).Uf 1 :Qi { .Uf 2 :Q 2{ .Ux:PQ 1 [f l ) x ^Q 2 [f 2 ] x 

Essentially, this is the type of coercions, given x, from proofs of Q± x to proofs of Q 2 x, 
but in the general case, we must pass the predicates Q\ and Q 2 evidence that they are 
well-formed, so the coercion requires formation proofs as inputs as well. 

How do these coercions work? Recall that subsorting need only be defined at base 
sorts Q, and there, it is simply the application-compatible, reflexive, transitive closure 
of the declared relation. For the purposes of the translation, we employ an equivalent 
algorithmic formulation of subsorting. Following the inspiration of bidirectional typing, 
there are two judgments: a checking judgment that takes two base sorts as inputs and a 
synthesis judgment that takes one base sort as input and outputs another base sort that is 
one step higher in the subsort hierarchy. 

The synthesis judgment constructs a coercion from the new coercion constants in the 
signature. 

si<s 2 G E Qi < Q 2 ~> Qi-Q 2 

si<s 2 ^si-s 2 Q 1 at <Q 2 N ~> QH22 N 

The checking judgment, on the other hand, constructs a meta-level coercion between proofs 
of the two sorts. It is defined by two rules: a rule of reflexivity and a rule to climb the 
subsort hierarchy. 

Qi = Q2 R) 

r h Qi < Q 2 X(R, fli). Ri [rG } 

Qi<Q'^ r h Qi C P sort ^ Qi 

T^Q'<Q 2 ^F rhQ'cP^ sort ~* Q 1 ^ 
- — (climb) 

r h Qi < Q 2 ~* X(R, F(R, Qi-Q' Qi Q> R R ± ) 
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The reflexivity rule's metacoercion simply returns the proof it is given, while the climb rule 
composes the actual coercion Q\-Q' with the metacoercion F. Two extra premises generate 
the necessary formation proofs. 

Finally, we have described enough of the translation to explain the rule most central to 
the design of LFR, the switch rule. 

r h R^Q'^R Th Q' <Q^F 



fh R<=Q^ F(R, R) 



(switch) 



The first premise produces a proof R that R satisfies property Q', and the second premise 
generates the meta-level proof coercion that transforms such a proof into a proof that R 
satisfies property Q. 

Having sketched the translation and the role of proof irrelevance, we now review some 
metatheoretic results. 

6.4. Correctness. Our translation is both sound and complete with respect to the original 
system of LF with refinement types, and so our correctness criteria will come in two flavors. 

Soundness theorems tell us that the result of a translation is well-formed. But even 
more importantly than telling us that our translation is on some level correct, they serve as 
an independent means of understanding the translation. In a sense, a soundness theorem 
can be read as the meta-level type of a translation judgment — a specification of its intended 
behavior — and just as types serve as an organizing principle for the practicing programmer, 
so too do soundness theorems serve the thoughtful theoretician. We explain our soundness 
theorems, then, not only to demonstrate the sensibility of our translation, but also to aid 
the reader in understanding its purpose. 

In what follows, form(Q) represents the formation family for a base sort Q. 

form(s) = s form(Q N) = form(Q) N 

Theorem 6.1 (Soundness). Suppose h T ctx~> T and h £ sig ~> S. Then: 

(1) IfT h S C A^> S and T h N <= S N, then f hg N <= S(N). 

(2) J/rh R^ S ~> R, then F h S C A ~> S andf hg R => S{n A {R)) 
(for some A and S). 

(3) IfT h S c S and F h N <= A, then f hg S(N) 4= type. 

(4) IfT\-Q\zP=>L~~*Q, then for some K , Lf, and K p , 

• r h L C K f -S n Lf and F hg Q => Lf(form(Q)), and 

• K P ^ d K p and f hg Q => K p ( form(Q), P). 

(5) IfTh L^K f 2T L f and T h P ^ if, tfien f hg L f (P) 4= type. 

(6) IfK p ^> d K p , F h Q f => ET, andTh P^ K, then f hg # p (Q f , P) 4= kind. 

(7) 1/ Qx < Q 2 ~» QH9 2j r h Qi C P => L, rhP^A', andK^i i/ien 
r h Q 2 C P L and f h Q^Q 2 A' S (P, form(Qi), Qi, form(Q 2 ), Q 2 ). 

(8) J/r h R => P, F h Qi n P ~* Qj } r h Qi < Q 2 ~* P, and f h R x => Qi(R), then 
f h F(R, R 1 )^Q 2 (R). 



REFINEMENT TYPES FOR LOGICAL FRAMEWORKS 



37 



(9) // K ^ K s , K P ^ d K p , F h P => K, F h Qu K, and f h Q t => K v {Q if , P), then 
f h K S (P, Q lf , Q 1? Q 2f , Q 2 ) type. 

Proof. By induction on each clause's main input derivation. Several clauses must be proved 
mutually; for instance, clauses [H [2j [8j and H] are all mutual, since the rules for translating 
terms refer to the translation of subsorting, the rules for translating subsorting refer to the 
class synthesis translation, and since sorts may be dependent, the rules for class synthesis 
translation refer back to the term translation. □ 

The proofs use entirely standard syntactic methods, but they appeal to several key lemmas 
about the structure of the translation. 

Lemma 6.2 (Erasure). IfFh J~~> X, then F h J. 

Proof. Straightforward induction on the structure of the translation derivation. The trans- 
lation rules are premise-wise strictly more restrictive than the original LFR rules, except 
for the subsorting rules, which are also more restrictive in the sense that they force rules to 
be applied in a certain order. □ 

Lemma 6.3 (Reconstruction). If TV- J", then for some X, F h J ~> X. 

Proof. By induction on the structure of the LFR derivation. The cases for the subsorting 
rules require us to demonstrate that an LFR subsorting derivation can be put into "algo- 
rithmic form", with all uses of refiexivity and transitivity outermost and right-nested, like 
the algorithmic translation rules refl and climb. We also make use of the tacit assumption 
that the judgment F h J itself is well-formed, e.g. if J = N <= S, then r h S C A, 
which ensures that we will have the necessary formation premises when we need to apply 
the climb rule. □ 

Erasure and reconstruction substantiate the claim that our translation is derivation-directed 
by allowing us to move freely between translation judgments and ordinary ones. Using 
erasure and reconstruction, we can leverage all of the LFR metatheory without reproving 
it for translation judgments. For example, several cases require us to substitute into a 
translation derivation: we can apply erasure, appeal to LFR's substitution theorem, and 
invoke reconstruction to get the output we require. 

But since reconstruction only gives us some output X, we may not know that it is the 
one that suits our needs. Therefore, we usually require another lemma, compositionality, 
to tell us that the translation commutes with substitution. There are several such lemmas; 
we show here the one for sort translation. 

Lemma 6.4 (Compositionality). Let a denote [M/x] A . 

(1) //r L ,j;::_,r R h SnA^S and F L ,aF R h aS C aA^S', then aS(N) = S'(aN), 

(2) //r L , x::_,F R h L C K ^ L and F,aF R h aLnaK ^ U , then aL(P) = L'(aP), 

and similarly for K ~> K s and K V ^ K p . 

Proof. Straightforward induction using functionality of hereditary substitution. The base 
case of the first clause leverages the irrelevance introduced in the Q-F translation rule: both 
sort formation derivations will have a premise outputting evidence for the well-formedness 
of the sort, and there is no guarantee they will output the same evidence, but since the 
evidence is relegated to an irrelevant position, its identity is ignored. The second clause's 
II case appeals to the first clause, since LT classes contain sorts. □ 
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Finally, there is a lemma demonstrating that proof variables only ever occur irrelevantly, 
so substituting for them cannot change the identity of a sort or class meta-function output 
by the translation. 

Lemma 6.5 (Proof Variable Substitution). 

(1) IfT L ,x::S nA ,T R hSnA^S then [M/x]\ S(N) = S([M/x]\ N). 

(2) IfT L) x::S nAo,T R h L C K f " m L then [M/x]\ L(P) = L([M/x] p Ao P). 

Proof. Straightforward induction, noting in the base case, the Q-F rule, the only term that 
could depend on x is in an irrelevant position. □ 

Completeness theorems tell us that our target is not too rich: that everything we find 
evidence of in the codomain of the translation actually holds true in its domain. While 
important for establishing general correctness, completeness theorems are not as informative 
as soundness theorems, so we give here only the cases for terms — and in any case, those are 
the only cases we require to fulfill our goal of preserving adequacy. 

In stating completeness, we syntactically isolate the set of terms that could represent 
proofs using metavariables R and N. 



R 




x | R N N 


| TTl R | 7T2 R 


N 


:= F 


Xx. Xx. N 


1 (Ni,N 2 ) | () 


F 


:= R 


Q1-Q2 Qi 


Q2RF 




:= si 




N 


Q 


:=?/ 


i | Q N N | 


TTl Q | 7T2 Q 



Theorem 6.6 (Completeness). Suppose h T ctx-^ T and h E sig ~> E. Then: 

(1) IfFh S n A~^S and? h^N^S(N), thenTh N^S. 

(2) Iff hg R B, then Fh S n A^S, B = S(n A {R)), andTh R^ S (for some S, A, 
S, and R). 

(3) Iff h F Q [Q] R, then ThR^Q. 

(4) Iff h Q^Q 2 =► B, then K 4 K s , B = K s (P,{oim(Q 1 ),Q 1 ,form(Q 2 ),Q 2 ), and 
Qi < Q2 (for some K, K s , P, Qi, and Q 2 ). 

(5) IfThQ^ B, then T h L C K ^ L f , B = L f (form(Q)), and T h Q C P => L (for 
some L, K, Lf, and Q). 

Proof. By induction over the structure of the proof term. □ 

Adequacy of a representation is generally shown by exhibiting a compositional bijection be- 
tween informal entities and terms of certain LFR sorts. Since we have undertaken a subset 
interpretation, the set of terms of any LFR sort are unchanged by translation, and so any 
bijective correspondence between those terms and informal entities remains after transla- 
tion. Furthermore, soundness and completeness tell us that our interpretation preserves 
and reflects the derivability of any refinement type judgments over those terms. Thus, we 
have achieved our main goal: any adequate LFR representation can be translated to an 
adequate LFI representation. 
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7. Conclusion 

Logical frameworks are metalanguages specifically designed so that common concepts and 
notations in logic and the theory of programming languages can be represented elegantly 
and concisely. LF |HHP93j intrinsically supports o-conversion, capture-avoiding substitu- 
tion, and hypothetical and parametric judgments, but as with any such enterprise, certain 
patterns fall out of its scope and must be encoded indirectly. SPACE One pattern is the 
ability to form regular subsets of types already defined. We address this by extending LF 
with type refinements, leveraging the modern view of LF as a calculus of canonical forms to 
obtain a metatheoretically simple yet expressive system, LFR. Another pattern is to ignore 
the identities of proofs, relying only on their existence. This is addressed in LF extended 
with proof irrelevance, LFI [PfeOlal IRP08] . We have shown that our system of refinement 
types can be mapped into LFI in a bijective manner, preserving adequacy theorems for LFR 
representations in LFI. 

In the methodology of logical frameworks research, it is important to understand the 
cost of such a translation: how much more complicated are encodings in the target frame- 
work, and how much more difficult is it to work with them? We cannot measure this cost 
precisely, but we hope it is evident from the definition of the translation and the examples 
that the price is considerable. Even if in special cases more direct encodings are possible, 
we believe our general translation could not be simplified much, given the explicit goal to 
preserve the adequacy of representations. Other translations from programming languages, 
such as coercion interpretations where sorts are translated to distinct types and subsorting 
to coercions, appear even more complex because adequacy depends on certain functional 
equalities between coercions. Our preliminary conclusion is that refinement types in logical 
frameworks provide elegant and immediate representations that are not easy to simulate 
without them, providing a solid argument for their inclusion in the next generation of 
frameworks. 

Of course, much work remains to be done before refinement types can be considered a 
practical addition. First, it will be necessary to develop a sufficiently complete algorithm 
for reconstructing the sorts of implicitly II-quantified metavariables in order to allow the 
elegant encodings we imagine without burdensome redundancy. Furthermore, it would be 
useful to have a logic programming interpretation of LFR declarations and the ability to 
perform analyses like coverage and termination checking on declarations qua programs; to 
enable such an interpretation, we will have to develop an algorithm for sorted unification, 
generalizing existing work on pattern unification in the context of logical frameworks. It 
may also be a worthwhile endeavor to formalize the metatheory of LFR and its subset 
interpretation in a metalogical framework or proof assistant; although we have avoided 
doing so due to the high cost of working around current technological limitations in proof 
assistants, the present work has been carried out in sufficient detail that formalization should 
not be particularly difficult beyond the technical challenge of representing a dependently 
typed calculus. 

Refinement types have been also been proposed for functional programming |Fre94[ 
IDP041 |Pav05] . most recently in conjunction with a limited form of dependent types |Dun07j . 
Proof irrelevance is already integrated in this setting, and also available in general type 
theories such as NuPrl or Coq. One can ask the same question here: Can we simply 
eliminate refinement types and just work with dependent types and proof irrelevance? The 
results in this paper lend support to the conjecture that this can be accomplished by a 
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uniform translation. On the other hand, just as here, it seems there would likely be a high 
cost in terms of brevity in order to maintain a bijection between well-sorted data in the 
source and dependently well-typed data in the target of the translation. 

Acknowledgements. Thanks to Jason Reed for many fruitful discussions on the topic of 
proof irrelevance. Thanks to the anonymous referees for offering insightful commentary on 
how to clarify our presentation. 
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Appendix A. Complete LFR Rules 

In the judgment forms below, superscript + and — indicate a judgment's "inputs" and 
"outputs" , respectively. 



A.l. Grammar. 

Kind level 

K ::= type | Yix:A. K 
L ::= sort | Ux::SrA. L j T | L\ A L 2 



kinds 
classes 



Type level 

P ::= a \ P N 

A ::= P | Ux-.Ax.A2 



atomic type families 
canonical type families 



Q ::= s I Q N 

S ::=Q\ Uxr.SxrAi. S 2 \ T I Sx A S 2 



atomic sort families 
canonical sort families 



Term level 

R::=c\x\RN 
N ::= R \ Xx.N 



atomic terms 
canonical terms 



Signatures and contexts 



S 
D 

r 



• I £,£> 

a:K I c:A \ s\Za::L \ S\<S2 \ c::S 
■ I T,x::SnA 



signatures 
declarations 
contexts 



A. 2. Expansion and Substitution. All bound variables are tacitly assumed to be suffi- 
ciently fresh. 



(A)~ = a 



a, (3 ::= a \ a\ — > a 2 



(a) = a 

(p n)~ = (py 

(Ux:A.B)~ = (A)~ -> (BY 



Va(R) = R 
r) a -+p(R) = Xx.T] l3 (R r] a (x)) 



Va(R)=N 
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[No/x ]l N = N' 


[N /x ]™R = (N,a) 


[N /xoY* o R = R' 


[N /x r ao N = N> 


[N /x ]l R = N 


[N /xoZ R = R' 


[N /x ] n ao Xx.N = Xx.N' 








[Nq/xq]^ R = R' 



x ^ x 



Wo/x }^ x = x [iVo/^o]" c = c 



[Nq/xqYI gl = R i Wo/x ]l N 2 = N 2 
[No/x Y* R x N 2 = R[ N' 2 



[N /x Y a n R=(N',a') 



[No/xoYa xo = (N ,a ] 



(subst-rn-var) 



[No/x }l N 2 = Jg [N' 2 /x]l 2 Nx = Nj 

[N Q /x Y»RiN 2 = (Ni, ai ) (subst-rn-^ 

(Substitution for other syntactic categories (q, p, s, a, 1, k, 7) is compositional.] 
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A. 3. Kinding. 



r h E l+ c a+ 



r h sort C type 



r h t c k 



rhSci r, x:\S\zA \- l n k 

r h Hr::,StAL E Hx:A A 

rhiicx r h l 2 c if 

r h Li A L 2 E A' 



r h E q+ c p- ir 



s\Za::L £ £ 

rhQcP^nx::5cAL rhiV^5 [N/x] 1 A L = L i 
rhQJVcPAf^L' 

rhQcP^LiAL 2 rhQcP^LiAL 2 



r h Q c p l 2 



p' 



L = sort 



r h Q C P 
rh5cA r,i::5cih5'c4' 



(Q-F) 



(n-F) 



r h Hx::ScAS' C ILc:AA' 

r h Si c i rhS 2 cA 



(T-F 



rhTci v ' rhSiA5 2 ci 

Note: no intro rules for classes T and L\ A L 2 . 



(A-F) 
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A. 4. Typing. 



r h E r + s- 



c::S G £ 



(const) 



x::SnA £ r 



(var) 



r h R t => ILe::S 2 cA2. s r h iV 2 ^ S 2 [iNfe/^V 5 = 5' 



r h R 5i A S 2 

r h # 5i 



r h i?i at 2 => s' 



(A-Ej 



(n-E) 



r h R 5i A 5 2 

r h # ^ s 2 



(A-E 2 



r h s iv+ <= s + 



T\- R=>Q' Q' <Q 
Th R^Q 

F,x::SnA h N ^ S' 



(switch) 

7 (n-i) 



r h iv t 



(T-I) 



r h Ax.iV <= Ux::SnA. S' 

rhA^^Si rhiv^5 2 



r h TV <s= 5i A 5 2 



(A-I) 



Q+<Q+ 



Qi = Q2 Qi<Q' Q'<Q2 si<s 2 gS 



Qi<Q2 



Qi<Qi 



Sl < s 2 



Qi < Q2 
QiN <Q 2 N 
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A. 5. Signatures and Contexts. 



hSsig 



sig 



. h s * K <= kind 



a:K' E 



h • sig 



h E, a:i<C sig 



h E sig • h s . ^ <?= type c:A' E 
h E,c:,4 sig 

h E sig a:K € E ■ \—£ L \Z K sna'::L' E 
h E, s\Za::L sig 

h E sig c:A € S • h s 5 C ^ c::5' £ S 
h E,c::5 sig 

h E sig siCa::L G E s 2 Ca::L G E 



h E,si<s 2 sig 



h s T ctx 



h r ctx ri-sci 



h • ctx 



h r,x::S[Z,4 ctx 
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Appendix B. Complete Translation Rules 

In the judgment forms below, superscript + and — indicate a judgment's "inputs" and 
"outputs" , respectively. 

B.l. Kinding. 



r h sort C type ^ AQ f . Q f 



form 



r h ILe::SizA L C IIx:A if f ^ AQ f . Hz:A IIx^^aOz)). L(Q f »M(aO) 



t-, i T , T r form 

r \- Li n k Li 



T \- L 2 \Z K f 2T T 2 



i — i i — i — „ form « „ ., 

ri-TcK ~> AQ f . 1 



form 



r h Li A L 2 C K AQf. Li(Q f ) x L 2 (Q f ) 



r h s Q+ □ p- => l- ~» Q- 



sCa::L £ £ 



rhQcP^nxxScAL^Q rhiv^s 



iV 



[iV/x] 1 A L = L / 



r h Q TV C P iV 

rhQcP^LfAL 2 ^Q 
rhQcP^Li^vriQ 

ThQcP'^L^Q P' 



L' N N 

ThQnP^L 1 AL 2 ^Q 
ThQnP^L 2 ^ir 2 Q 



r h E 5+ c A 



5" 



L = sort 



(Q-F) 



rhQcP-) AiV. Q [Q] JV 
T h ILcrrStA S' C ILc:A A ~» AiV. ILc:A S'(N@x) 



(n-F) 



(T-F) 



rHTci^ AiV. 1 ' rhSiA5 2 C^^ A TV. 5i(iV) x S 2 (N) 

Note: no intro rules for classes T and L\ A L 2 . 



(A-F) 
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a+ P ^ d k- 

type P ^ d X(Q{, P). Q f -» P -> type 

A ~> A 

ILc:A A p ^ d A(Q f , P). ILr:A K(Q { rj A (x), P r, A {x)) 

A+ ^> k- 

type <S A(P, Qi f , Q u Q 2f , Q 2 ). n/i:Qi f . n/ 2 :Q 2f . ILr:P. Q a [ft] x -> Q 2 [/ 2 ] x 

A^> A 

IIx:A A ^> A(P, Q H , Qi, Q 2f , Q 2 ). IIx.A. A(P', Qi t , Q[, Q 2 ' { , Q' 2 ) 
(where, for each P, P' = P t]a(%)) 
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B.2. Typing. 



rhr r- 



c::S £ £ 



Th S 



(const) 



x::SnA 6 r 
T \- x ^ S ^ x 



(var) 



r h Rx => Ux::S 2 \zA 2 . S ^ % ThN 2 ^S 2 ^N2 [N 2 /x] s M S = S' 
T h R x N 2 ^ S' ^Rx N 2 N~ 2 



(H-E) 



r h i? => 5i ~» TTi £ 



(A-Ej 



r h i? 5 2 ~» 7T 2 -R 



(A-E 2 ) 



r h E n+ <= s + ~> AT 



r h i? ^ Q' ^ # r h Q' < Q ^ F 
rh R^Q^ F(R,R) 

T,x::SnA \- N <= S' ^ N 



Th Xx.N ^ Ux::SnA. S' ~* Ax. Ax. A" 



(switch) 

(n-i) 



r h AT <s= T ~> () 



fT-Il 



r h AT <= Si ~> ATi r h N S 2 ^ N 2 
rh N^Si ASW {Ni,N 2 ) 



(A-I) 



r h Q+ < Q+ ~* F- 



Qi = Qi 



rh Qi < Q 2 ^\{R,R{). Ri 



(refl) 



Qi<Q'^Qi-Q' rh Qi cP=^sorWQi 
rhQ'<Q 2 ^F ThQ'cP^ sort ~* Q 7 

r h Qi < Q 2 ~> A(i2, J?i). Qi #i) 



(climb) 



Qf <Q 2 ^ Oi-Qa 



si<s 2 G £ 
si < s 2 ~» Sl-S 2 



Qi N < Q 2 N ^ Q^Q 2 N 
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B.3. Signatures and Contexts. 

h E+ sig-> XT 

h E sig ~> E ■ hs* ^ 4= kind a:if' E 
h-sig~>- h E,a:if sig £, a :.ff 

h E sig E • hs* A ■<= type c:A' ^ E 
h E,c:A sig^ E,c:7l 

h E sig ~> E a:K G E ■h E Lcif f ™L f If P ^ d K p sna'v.L' E 
h E, sCa::L sig ^> E, ~s:K, s/i:Lf(s), s:K p (s, a) 

hEsig^S c:yl€E • h E 5 C A ~> 5 c::5' £ S 
h E, cxS 1 sig ~» E, c:5(r/A(c)) 

HEsig-^E siCa::L€E s 2 Ca::L € E a:K e T, K^K 
h E, si<s 2 sig ~> E, si-s 2 :i^(a, si, Si, s^, s 2 ) 

h s T+ ctx f - 

hTctx^f rhScA-»5 
I" • ctx ~» • h r, x::S\zA ctx ~> f , x:A, x:S(t]a{x)) 
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